Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/data/deprecations/15-9-JWT-OIDC.yml
diff options
context:
space:
mode:
Diffstat (limited to 'data/deprecations/15-9-JWT-OIDC.yml')
-rw-r--r--data/deprecations/15-9-JWT-OIDC.yml60
1 files changed, 30 insertions, 30 deletions
diff --git a/data/deprecations/15-9-JWT-OIDC.yml b/data/deprecations/15-9-JWT-OIDC.yml
index e924d698bc5..48e1b862032 100644
--- a/data/deprecations/15-9-JWT-OIDC.yml
+++ b/data/deprecations/15-9-JWT-OIDC.yml
@@ -1,42 +1,42 @@
-# This is a template for announcing a feature deprecation or other important planned change.
-#
-# Please refer to the deprecation guidelines to confirm your understanding of GitLab's definitions.
-# https://docs.gitlab.com/ee/development/deprecation_guidelines/#terminology
-#
-# Deprecations and other future breaking changes must be announced at least
-# three releases prior to removal.
-#
-# Breaking changes must happen in a major release.
-#
-# See the OPTIONAL END OF SUPPORT FIELDS section below if an End of Support period also applies.
-#
-# For more information please refer to the handbook documentation here:
-# https://about.gitlab.com/handbook/marketing/blog/release-posts/#deprecations-and-other-planned-breaking-change-announcements
-#
-# Please delete this line and above before submitting your merge request.
-#
-# REQUIRED FIELDS
-#
+---
- title: "Old versions of JSON web tokens are deprecated"
announcement_milestone: "15.9" # (required) The milestone when this feature was first announced as deprecated.
- removal_milestone: "16.0" # (required) The milestone when this feature is planned to be removed
+ removal_milestone: "16.5" # (required) The milestone when this feature is planned to be removed
breaking_change: true # (required) Change to false if this is not a breaking change.
reporter: dhershkovitch # (required) GitLab username of the person reporting the change
stage: Verify # (required) String value of the stage that the feature was created in. e.g., Growth
issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/366798 # (required) Link to the deprecation issue in GitLab
body: | # (required) Do not modify this line, instead modify the lines below.
- Now that we have released [ID tokens](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html)
- with OIDC support, the old JSON web tokens are deprecated and will be removed.
- Both the `CI_JOB_JWT` and `CI_JOB_JWT_V2` tokens, exposed to jobs as predefined variables,
- will no longer be available in GitLab 16.0.
+ [ID tokens](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html) with OIDC support
+ were introduced in GitLab 15.7. These tokens are more configurable than the old JSON web tokens (JWTs), are OIDC compliant,
+ and only available in CI/CD jobs that explictly have ID tokens configured.
+ ID tokens are more secure than the old `CI_JOB_JWT*` JSON web tokens which are exposed in every job,
+ and as a result these old JSON web tokens are deprecated:
+
+ - `CI_JOB_JWT`
+ - `CI_JOB_JWT_V1`
+ - `CI_JOB_JWT_V2`
+
+ To prepare for this change, configure your pipelines to use [ID tokens](https://docs.gitlab.com/ee/ci/yaml/index.html#id_tokens)
+ instead of the deprecated tokens. For OIDC compliance, the `iss` claim now uses
+ the fully qualified domain name, for example `https://example.com`, previously
+ introduced with the `CI_JOB_JWT_V2` token.
+
+ In GitLab 15.9 to 15.11, you can [enable the **Limit JSON Web Token (JWT) access**](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#enable-automatic-id-token-authentication)
+ setting, which prevents the old tokens from being exposed to any jobs and enables
+ [ID token authentication for the `secrets:vault` keyword](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#configure-automatic-id-token-authentication).
+
+ In GitLab 16.0 and later:
+
+ - This setting will be removed.
+ - CI/CD jobs that use the `id_tokens` keyword can use ID tokens with `secrets:vault`,
+ and will not have any `CI_JOB_JWT*` tokens available.
+ - Jobs that do not use the `id_tokens` keyword will continue to have the `CI_JOB_JWT*`
+ tokens available until GitLab 16.5.
- To prepare for this change, you should:
+ In GitLab 16.5, the deprecated tokens will be completely removed and will no longer
+ be available in CI/CD jobs.
- - Configure your pipelines to use the fully configurable and more secure
- [`id_token`](https://docs.gitlab.com/ee/ci/yaml/index.html#id_tokens) keyword instead.
- - [Enable the **Limit JSON Web Token (JWT) access**](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#enable-automatic-id-token-authentication)
- setting, which prevents the old tokens from being exposed to any jobs. This setting
- will be permanently enabled for all projects in GitLab 16.0.
#
# If an End of Support period applies, the announcement should be shared with GitLab Support
# in the `#spt_managers` channel in Slack, and mention `@gitlab-com/support` in this MR.
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-31 20:00:12 +0300