{"id":21453592,"url":"https://github.com/queil/gitlab-jwt-2-pat","last_synced_at":"2026-05-22T05:16:06.666Z","repository":{"id":107021053,"uuid":"452736394","full_name":"queil/gitlab-jwt-2-pat","owner":"queil","description":"Enables issuing short-lived impersonation tokens for the user authenticated in GitLab CI pipelines","archived":false,"fork":false,"pushed_at":"2023-03-02T17:54:13.000Z","size":45,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-01-23T12:46:35.079Z","etag":null,"topics":["gitlab"],"latest_commit_sha":null,"homepage":"","language":"F#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/queil.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-01-27T15:27:09.000Z","updated_at":"2023-08-15T06:54:58.000Z","dependencies_parsed_at":null,"dependency_job_id":"dbd0ccb6-9c2f-43ac-a9da-766dc7307d03","html_url":"https://github.com/queil/gitlab-jwt-2-pat","commit_stats":null,"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/queil%2Fgitlab-jwt-2-pat","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/queil%2Fgitlab-jwt-2-pat/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/queil%2Fgitlab-jwt-2-pat/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/queil%2Fgitlab-jwt-2-pat/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/queil","download_url":"https://codeload.github.com/queil/gitlab-jwt-2-pat/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243965783,"owners_count":20375918,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gitlab"],"created_at":"2024-11-23T04:40:14.531Z","updated_at":"2026-05-22T05:16:01.628Z","avatar_url":"https://github.com/queil.png","language":"F#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# gitlab-jwt-2-pat\n\nEnables issuing short-lived impersonation tokens for the user authenticated in GitLab CI pipelines (via `$CI_JOB_JWT`/`$CI_JOB_JWT_V2`) token. It makes possible running actions like auto-tagging as the original user. GitLab PATs (Personal Access Token), including the impersonation tokens, do not support expiration times shorter than a day so the server tracks all issued tokens and automatically revokes them after the configured time.\n\n[Docker image](https://github.com/queil/gitlab-jwt-2-pat/pkgs/container/gitlab-jwt-2-pat)\n\n## :warning: Warning\n\nThis project is experimental - use at your own risk. Hopefully GitLab makes a similar functionality [built-in at some point](https://gitlab.com/groups/gitlab-org/-/epics/3559). Also please note that GitLab's functionality around the JWTs is being under active development. Search for `CI_JOB_JWT` and `CI_JOB_JWT_V2` in [predefined variables](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html) for more info.\n\n## The basics\n\nThe server exposes two endpoints: \n\n* `/token` - this is the main working endpoint requiring a standard `Authorization: Bearer your-encoded-token-here` header. The JWT token provided in the header gets validated (making sure the token is not expired and comes from a legitimate issuer - i.e. your GitLab instance). :warning: Token audience validation must be turned off (via `JWT__VALIDATE__AUDIENCE=false`) for JWT tokens issued by GitLab version \u003c 14.7 because it doesn't contain the `aud` claim. It is being fixed in the `CI_JOB_JWT_V2` which will become the default in the future but it only gets released as an alpha feature in GitLab 14.7.\n\n* `/health` - an endpoint that can be used for health-checks (e.g. in Kubernetes)\n\n## Example usage in CI\n\n```bash\ngit push https://$GITLAB_USER_LOGIN:$(curl -sS --fail-with-body -H \"Authorization: Bearer $CI_JOB_JWT\" https://gitlab-jtp.example.com/token)@$CI_SERVER_HOST/$CI_PROJECT_PATH.git HEAD:$CI_COMMIT_REF_NAME\n```\n\n## Configuration\n\n* `GITLAB__HOSTNAME` - sets GitLab's instance hostname\n* `GITLAB__APIKEY` - it needs to be an admin user's PAT so it can issue/revoke impersonation tokens.\n* `GITLAB__SUDOUSERLOGIN` - impersonation tokens can only be issued by an admin user with [sudo](https://docs.gitlab.com/ee/api/#sudo) enabled. It requires the sudo user name to be sent together with the query string.\n\n* `GITLAB__TOKENCONFIG__SCOPES__0` - defines [scopes](https://docs.gitlab.com/ee/api/users.html#create-an-impersonation-token) for the created impersonation token. Multiple values can be specified by specifying this variable multiple times incrementing the array index.\n\n* `GITLAB__TOKENCONFIG__REVOKESECONDS` - declares how many seconds after issuance the token should be revoked. The value should be quite low (like a few seconds) to improve security. Values greater than 24h won't have any effect as the impersonation tokens that get issued are only valid until midnight anyway (via setting `expires_at` in [the API call](https://docs.gitlab.com/ee/api/users.html#create-an-impersonation-token))\n\nJWT settings:\n\n* `JWT__ISSUER` - JWT's issuer gets validated against the specified value\n* `JWT__AUTHORITY` - used to retrieve OIDC metadata (from `$JWT__AUTHORITY/.well-known/openid-configuration`)\n* `JWT__DEBUG` - if set to true encoded JWTs gets logged to stdout. Also make sure you set `Logging__LogLevel__Default` to `Debug` otherwise the tokens won't be logged. Default: `false`.\n* `JWT__VALIDATE__AUDIENCE` - needs to be set to false for GitLab version \u003c 14.7 as the JWT token in earlier versions doesn't contain `aud`. \n\nOther settings:\n\n* `ASPNETCORE_URLS` - sets the IP and port for the server (example: `http://*:5000`)\n\n\n### Example config\n\n```bash\nGITLAB__HOSTNAME=https://gitlab.example.com\nGITLAB__SUDOUSERLOGIN=your-token-issuer-user\nGITLAB__TOKENCONFIG__SCOPES__0=write_repository\nGITLAB__TOKENCONFIG__SCOPES__1=api\nGITLAB__TOKENCONFIG__REVOKESECONDS=30\nJWT__ISSUER=gitlab.example.com\nJWT__AUTHORITY=https://gitlab.example.com\nJWT__DEBUG=true\nJWT__VALIDATE__AUDIENCE=false\nCOMPlus_EnableDiagnostics=0\nLogging__LogLevel__Default=Information\nLogging__LogLevel__System=Error\nLogging__LogLevel__Microsoft=Error\nASPNETCORE_URLS=http://*:5000\n```\n\n## Credits\n\n[Johann Gyger](https://gitlab.com/johanngyger) - author of [GiLP](https://gitlab.com/johanngyger/gilp)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fqueil%2Fgitlab-jwt-2-pat","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fqueil%2Fgitlab-jwt-2-pat","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fqueil%2Fgitlab-jwt-2-pat/lists"}