►
From YouTube: BE Pairing EMEA/APAC - 2023-08-09
Description
Today we discussed authentication options for remote development and time precision in RSpec tests.
Remote development auth issue: https://gitlab.com/gitlab-org/gitlab/-/issues/421289
MR with time precision issue:https://gitlab.com/gitlab-org/gitlab/-/merge_requests/126530#note_1496791930
B
A
Refresh,
let
me
restart
that,
so
this
problem
is
related
to
remote
development.
Remote
development
is
essentially
where
we
are
trying
to
move
your
development
environment
away
from
your
local
machines
to
something
somewhere
running
in
your
Cloud,
where
you
don't
have
to
worry
about
anything,
there's
a
lot
of
hand
waving
in
that
statement,
but
that's
the
gist
of
it.
We
recently
released
a
beta
version
of
it
somewhere
around
I,
think
May
or
June
I,
keep
forgetting
where
we
are
only
allowing
you
to
create
workspaces.
A
Workspaces
are
term
of
say,
you
know,
developer
environment,
a
workspace
for
a
public
project
and
right
now
we
are
working
on
enabling
that
for
a
private
project
as
well-
and
this
is
where
we
are
right
now,
so
we've
done
a
spike
on
it,
where
everything's
working
and
we
have
a
spike
fully
working.
The
only
thing
over
to
not
over
here
is
we
are
using
personal
access,
tokens
scope
to
our
user
and
we
are
injecting
that
personal
access
token
into
the
workspace.
A
So
the
project
is
cloned
at
the
start
of
the
workspace,
and
once
you
start
using
the
workspace,
you
can
do
any
operation
related
to
it,
because
it's
just
a
gitlab
token
and
git
operations
automatically
work
out
of
the
box.
I'll
share
my
screen
and
show
you
what
I
mean
by
that
we've
received
feedback
from
quite
a
few
people
that
we
should
try
to
move
away
from
apart,
primarily
because
it's
a
pact,
it's
long-lived,
you
don't
want
to
have
a
pad.
A
Can
you
have
something
more
ephemeral
right
and
that's
the
context
and
the
benefit
of
that
is
obviously
additional
security.
It
gives
us
an
opportunity
to
automatically
rotate
those
credentials
every
one
hour,
two
hour
and
inject
those
into
the
workspace
again
so
just
in
because
of
workspace,
a
user
can
install
any
software
inside
of
workspace
right.
So
the
security
profile
is
more
sensitive
over
there.
There
can
be
any
malicious
program
that
is
leaking
that
token
somehow.
A
So,
if
we
have
this
way
of
rotating
these
secrets
every
couple
of
hours,
it
kind
of
improves
our
security
profile
as
well.
So
that's
the
context
before
I
share
my
screen
and
just
show
you
what
that
looks
like
any
question
so
far,.
C
I
have
a
very
basic
question
about
what
remote
development
is,
which
is
like
how,
in
my
mind,
remote
development
in
the
web.
Ide
are
like
the
same
thing.
A
Yes,
so
the
only
difference
from
a
product
perspective-
you
don't
want
it
to
be
any
different
from
an
engineering
perspective
like
a
product
positioning,
is
that
okay,
the
remote
development
is
sort
of
an
extension
of
web
ID,
but
from
an
engineering
perspective,
it's
different
because
in
the
webrid
you
cannot
run
any
commands,
whereas
in
remote
development
you
will
be
able
to
spin
up
a
terminal
run,
any
commands
that
you
want
and
anything
you
want
to
do
right
and
the
web
ID
is
purely
running
in
the
browser
as
a
right
now,
whereas
for
a
model
I
mean
it
is
not
running
in
the
browser.
A
It's
it's
consuming
some
resources
somewhere
in
the
cloud.
We
are
basically
spinning
up
a
kubernetes
cluster
provisioning
pause
and
everything
over
there
and
syncing
everything
back
and
everything.
So
it's
consuming
some
resources
somewhere,
whereas
in
web
ID,
it's
your
own
local
machine
and
the
browser
inside
of
that.
A
All
right
I'll
take
that
as
a
no
with
that
I'll
and
famously
and
I'll
show
you
what
I
mean
by
all
of
this
right.
So
I
have
my
GDK
running
and
everything.
I
have
a
private
project.
Over
here
I've
learned
the
gitlab
UI
private
product
made
and
push
it
on.
My
GDK
I
create
a
new
workspace
from
I
select
the
project
I
select
before
I
get
into
that.
Let
me
spend
two
minutes
on
what
this
architecture
looks
like.
That
will
set
some
context
on
okay.
This
looks
scary.
It
is
not
trust
me.
A
This
essentially
is
gitlab
multiple
components
of
gitlab
nginx
rails,
caches,
kubernetes
agent,
server,
postgres
gitly.
This
is
our
kubernetes
cluster
and
we
already
have
a
component
in
gitlab
called
the
gitlab
agent
for
kubernetes.
A
That
is
like
our
way
of
communicating
with
kubernetes
and
the
reason
why
we
need
an
agent
over
there
is
because-
and
this
agent
actually
communicates
over
grpc
and
there's
a
reason
for
it
is
because,
if
the
communication
was
the
other
way
around
from
rails
to
this
agent,
we
would
hit
some
firewall
rules,
because
the
network,
Insider
customers
organization
is
always
usually
very
strict
and
blocked.
Any
incoming
traffic
has
more
restrictions
than
any
outgoing
traffic.
A
A
This
entire
thing
works
right
when
I
do
this,
when
I
create
a
workspace,
this
is
the
part
I'm
working
over
here,
I
communicate
with
gitlab
rails,
I,
say:
hi,
hey,
I
need
a
new
workspace,
expose
it
into
the
postgres
database
and
that's
the
end
of
that
transaction.
Now
what
happens
is
after,
like
at
regular
intervals,
the
agent
will
ping
cash
like
okay
ping
cash,
which
will
forward
it
to
rails.
Asking
for
information.
Hey,
do
you
have
any
new
information
for
me
and
gitlab
rails
will
be
like
hey
this
new.
A
You
know
this
user
has
requested
a
new
workspace.
These
are
all
the
information
go
about
and
create
these
kubernetes
resources.
For,
for
this
particular
workspace,
it
will
receive
that
information.
It
will
communicate
with
the
kubernetes
API
server
and
create
those
kubernetes
resources,
and
once
those
resources
are
created
it
will
you
know
once
they
are
ready,
it
will
Echo
back
its
status
and
it
will
go
back
its
status,
but
it
will
get
persisted
in
postgres,
which
is
reflected
to
us
over
here
right.
So
it
is
just
getting
ready.
B
A
Is
ready,
you
can
see
the
status
away
right.
It
is
starting
right
now.
I
already
have
a
workspace
which
is
already
running.
C
A
So
when
I
click
that
button,
what
happens
is
rails
just
pushes
that
information
into
postgres
and
that's
the
end
of
it?
My
agent
is
constantly
pinking
cash.
That
do
you
have
any
new
information
for
me
right
and
that
information
request
is
forwarded
to
so
cash
is
like
a
thin
proxy
over
here.
It
essentially
goes
to
rails
rails,
then
queries
the
database.
Is
there
any
new
information?
And
yes,
there
is,
and
it
just
sends
it
over
to
agent
agent-
creates
those
kubernetes
resources
and
what
it
does
is.
A
It
also
keeps
a
watch
inside
kubernetes.
What
has
the
status
of
these
resources
changed
if
it
has
changed?
Okay
in
the
next
poll
that
I
will
initiate
I
will
also
send
over
that
information,
so
that
information
then
gets
updated
into
the
database
and
with
that,
the
status
of
my
workspace
has
changed
to
running
if
I
open
this.
A
A
So
what
happens
when
so?
What
happens
when
this
is
spun
up
right?
The
first
thing
that
it
does
is
it
actually
clones
up
clones?
The
repository
this
is
the
git
Library
private
repository
that
gets
cloned
and
once
it
gets
cloned,
the
other
parts
get
started
and
once
it
is
fully
ready,
I
get
a
URL
I
browse
the
URL.
We
have
a
vs
code,
server
running
and
accessible
from
the
browser,
because
I
have
my
token
injected
right
now.
A
I
can
just
make
any
changes
over
here
and
you
know
just
use
this
UI
to
commit
and
to
push.
A
So
this
is
what
I
have
working
as
far
as
the
spike
is
concerned.
Now
this
is
where
the
issue
that
we
I
need
some
help
with,
which
is
this
one
right
now
I'm
using
personal
access
tokens
I
want
to
explore
ways.
I
can
remove
that
dependency
and
some
of
the
feedback
that
we've
got
is.
Can
we
use
some
any
form
of
jwd
right
and
I'm
sure
we
can?
The
thing
is
I.
A
Let
me
say:
I
am
not
really
a
ruby
rails
engineer,
so
this
is
where
I'm
stuck
and
authentication
and
authorization
is
not
my
strong
suit.
So
I
know
it's
possible
with
jwds
I.
Just
don't
know
how
to
go
about
it.
I
did
some
digging
around
the
rails,
monolith
I
found.
We
have
a
JWT
token
class,
but
I
could
not
get
it
working,
and
this
is
what
I
need
help
with.
C
Nice,
okay
and
one
question
I
had
for
you
are
you're
not
on
the
same
team
as
tan
Lee.
Are
you
Stan
tan?
Okay,
because
there
was
a
feature
that
I
worked
on
with
him
or
he
really
worked
on
it
and
I.
Just
looked
at
it.
I
should
say
around
jwts
for
code
suggestions
in
the
web,
so
he
he
had
a
similar
kind
of
pickle.
How
do
I
do
authentication
the
challenge?
There
was
a
little
bit
different.
C
It
was
less
a
concern
of
using
a
pat
like
a
pad
not
being
secure
right,
because
it's
a
long
live
token.
It
gives
you
access
to
more
than
you
probably
need
for
git
operations.
In
that
case,
the
issue
was
more.
They
wanted
a
self-contained
token
because
with
the
JWT
it
contains
information
about
the
user,
and
you
can
add
claims
right.
A
C
But
if
somebody
revokes
it,
you
don't
know
that
until
you
make
the
API
request,
whereas
jwts
are
short-lived,
which
is
I,
think
one
reason
why
you're
interested
in
using
them
for
this,
and
so
you
just
as
long
as
it's
valid.
You
assume
that
the
information
contained
within
it
is
the
right.
A
Yes
and
the
reason
why
the
jwd
is
also
kind
of
appealing
is
because,
like
you
mentioned,
you
can
add
some
additional
metadata
to
it
right
and
let
me
talk
about
a
utopian
future
world
right
where
I
I'll
only
allow
pushes
to
this
git
repository
if
it
is
from
within
that
workspace
is
right
and
I
can
maybe
inject
some
of
that
metadata
into
that
JWT
that
this
jwd
should
only
be
valid
if
the
traffic
is
coming
from
within
a
workspace,
and
this
is
the
workspace
ID
again,
there
are
a
lot
of
moving
pieces.
A
There
are
a
lot
of
things
that
we
would
need
to
do,
but
the
point
being
it
opens
up
a
lot
of
possibilities
for
us
right
and
coming
to
your
you
mentioned
about
the
code.
Suggestion
part
right,
I
actually
checked
in
with
Alpha
I
think
this
is
the
this
probably
might
be
a
different
one.
It's
related
to
suggested
reviewers.
A
So
yeah
the
only
difference
this.
This
is
what
I
when
I
spoke
with
Alpo
yesterday,
so
he
in
fact
pointed
me
to
the
same
Mr.
The
only
difference
over
here
is
they
are
doing
this
as
part
of
this
is
not
in
the
rails
monolith.
Right
this
token,
the
signing
of
the
JWT
and
everything
the
only
thing
that's
in
the
real
monolith
is
the
verification
of
this
token.
This
endpoint
and
what
I
want,
is
basically
the
generation
of
the
token
as
well
in
the
rails.
A
Monolith
part
so
I
I
did
I,
did
not
skim
through
this
entire
Mr,
but
I
figure
out
it's
a
little
bit
different.
D
Yes
see
same
as
you
have
some
background
on
it:
what's
the
the
suggestive
review
is,
there
is,
is
kind
of
described
as
being
outside
of
the
the
yeah
the
browse
long
list.
What
what
is
it?
A
completely
standalone
web,
app
or
I'm,
not
sure,
like
I'm,
familiar
with
the
suggested,
reviewers
kind
of
top
right
hand,
side,
sidebar
functionality,
but
I
didn't
know
that
it
lived
somewhere
else.
C
Right
not
even
code,
it's
I
think
this
is
the
suggested
reviewers
AI
feature
so
I
think
that
piece
is
outside
and.
C
I
think
that
the
end
point
to
generate
the
the
JWT
is
in
the
rails.
Monolith
is
my
memory.
A
Right
and
yes,
which
class
is
this,
suggested
reviewers
yeah?
This
is
the
one
right.
Yes,
so
I
did
check
this
out.
This
is
so
essentially
it
just
creates
the
payload
for
the
token
access
levels
and
everything
and
the
create
service,
and
where
is
it.
D
There's
that
I'm
just
just
wondering
if
it,
if
there's
a
JWT,
maybe
always
have
a
personal
access,
token
embedded
in
it
or.
C
Yeah
I
believe
the
shoot
I'm
gonna
mess
this
up.
If
I
try
to
drop
them
off.
My
head
I
do
not
believe
that
the
JWT
always
has
to
have
a
personal
access
token
associated
with
it.
I
also
just
realized
that
I
was
thinking
of
a
slightly
different
Mr
from
the
same
author.
Interestingly
enough,
this
person
loves
jwts.
C
So
I
can
try
to
take
that
up
this,
the
one
I
was
looking
for
was
for
code
suggestions,
not
suggested
reviewers
they're,
both
AI
features
so
they're
using
these
external
services
and
I
can
update
you
all
I
mean
one
question
I
had
is:
have
you
considered?
No,
this
wouldn't
work.
I
was
gonna
say,
have
you
considered
using
oauth
as
a
flow,
but
you
can't
use
an
oauth
token
to
do
a
get
push.
A
A
You
can
so
okay,
we'll
have
to
take
a
detour
a
little
bit
over
here.
What
happens
is
before
the
workspace
gets
started
right
like
now.
This
will
be
little
bit
of
kubernetes,
but
let
me
just
show
you
what
it
will
be.
A
A
Okay,
so
this
is
kubernetes,
but
essentially
there's
something
called
as
an
innate
container.
That
container
basically
will
run
before
anything
else
right
and
we
have
to
clone
the
project
as
part
of
the
init
container
itself,
and
the
reason
for
that
is,
we
cannot
have
the
workspace
ready
like
the
URL
is
ready
and
the
user
opens
it
up
and
then,
in
the
background,
the
project
is
getting
blown
right
because
for
a
big
repository
like
gitlab,
that
will
probably
take
five
minutes.
10
minutes
that
significantly
impacts
the
user
experience.
A
A
We
if
we
were
to
not
do
this
as
init
container
and
just
do
the
other
way
around,
which
I
just
said
that
could
have
been
possible
because
I
would
click
this
URL
over
here.
This
essentially
doesn't
work
by
the
way,
because
I'm
already
authenticated
it's
not
showing
you.
A
It
does
that
a
lot,
but
we
are
not
storing
those
those
tokens
anywhere
over
here
right
now,
so
one
of
our
ideas
was
we'll
use
a
pack
for
cloning
and
then
the
port
for
other
operations,
but
then
I
was
thinking
if
a
JWT
is
possible
right.
A
Why
can't
I
just
use
a
JWT
for
everywhere
everything
right,
because
the
JWT
can
be
the
provisioning
of
the
jwd
can
be
controlled
from
the
rail
side
completely,
whereas
if
I
were
to
do
a
pad
plus
an
oauth
right,
I
would
need
some
component
inside
my
kubernetes
cluster,
which
is
gitlab.
Workspace
is
proxy,
which
is
doing
that
authentication
to
store
those
secrets
into
the
kubernetes
secrets,
and
customers
are
not
really
happy
when
some
component
has
access
to
kubernetes
Secrets,
they
get
really
touchy
about
it.
A
So
I
was
just
trying
to
avoid
that
eventuality.
Does
that
make
sense.
A
C
A
So
what
I
was
trying
to
do
up
till
now
right,
sorry,
I
could
I
was
essentially
still
trying
to
play
a
play
around
with
this
particular
thing.
Essentially,
jagos
was
mentioning
that
and
what
you
see
token
is
essentially
a
gitlab
JWT
token,
which
has
some
those
are
all
the
required
Fields
set
and
I
was
just
trying
to
play
around
with
that
in
the
rails.
Console,
but
I
did
not
get
it
working.
A
So
maybe
do
you
think
if
it
would
be
a
good
idea
to
and
I
know,
there's
another
issue
that
we
have
so
a
real
time
boxes
to
maybe
next
five
minutes
or
10
minutes
and
well.
C
Mine
is
not
I
added
that
all
right,
if
it's
just
mine,
I,
just
added
that
as
like
a
function
but
I
feel
fine.
I
feel
fine
moving
forward
with
just.
D
This
yeah
I
think
it's
an
interesting
problem
and
if
you
could
potentially
go
back
to
the
Rouse
console
and
show
us
kind
of
what
you
were
digging
with
or
yes.
D
A
No
bear
with
my
almost
childish
knowledge
of
rails
over
here.
D
So
what
I'm
I
was
trying
to
I
shared
a
blog
post
era
that
I
haven't
really
been
able
to
multitask
and
read
it
fully
understand.
It
fits
relevant
but
I'm
interested
to
know
which
you
know
do
any
of
our
API
endpoints.
Currently
support
JWT
authentication
like
what
what
do
we
have?
I
I
think
we
already
have
a
mechanism
to
generate
a
JWT
to
authenticate
with
gitlab,
but
what
can
that
JWT
actually
be
used
for
I?
Don't
really
know
so.
D
You
go
from
there,
so
if
anyone
knows
anything
that
we
can
already
do
using
the
JWT,
I
I
know,
there's
there's
something
to
do
with
CI
and
hence
that
blog
post
as
well,
but
it's
probably
more
for
maybe
CI
to
access
other
systems
using
their
jwts,
maybe
rather
than
ours.
But.
A
Yep,
this
is
what
I
was
trying
to
do
right,
and
here
we
are
so
I
was
just
basically
doing
a
general
search
about
jwd's
entire
code
base
and
I
did
find,
which
one
was
this.
There
are
multiple
things
to
be
honest,
some
of.
A
Some
of
them,
don't
none
of
them,
make
complete
sense
to
me.
I
figured
out,
there's
a
inbuilt
class
called
jwd
and
you
need
to
pass
in
the
payload.
So,
okay,
the
payload
looks
like
jdi
is
just
a
random
uid,
so
that
replay
attacks
cannot
happen
is
who
is
the
issuer?
In
this
case,
this
will
be
gdk.test
when
it
was
issued
at
what
is
the
expiry
and
the
subject
on
whom
do
we
want
to
issue
this
spoken?
A
Who
it
is
related
to
all
right,
so
I
set
that
as
payload
and
eventually
I
want
to
set
the
access
level
as
well
that
this
project
this
token
will
only
be
valid
for
maybe
write
or
write
a
repository
or
something
like
that.
I
create
some
secret.
What
I
realized
is
you
need
a
SSL
key
for
signing
the
secret
I
was
not
aware
of
that.
A
I
thought
a
generic
random
secret
would
be
available,
but
it
looks
like
that's
not
the
case,
so
if
I
I
think
this
was
the
one
you
know
on
this,
one
give
me
this
one:
no.
A
A
And
this
is
what
I
figured
out
from
looking
at
the
code.
Okay
I
need
to
pass
these
things,
but
after
the
pointer,
I
just
lost
a
few
things
like
it's
just
throwing
me
I
was
like.
A
The
secret
has
to
be
what
do
you
say
an
RSA
instance.
I
was
under
the
assumption
that
that
is
not
a
requirement,
at
least
for
JWT.
You
can
sign
from
any
Secret.
C
But
I
think
the
issue
is
that
we're
using
so
there's
like
a
well-known
open,
ID
configuration
endpoint,
I'm
gonna,
put
it
in
the
chat
and
that
is
or
that
is
for
our
existing
open,
ID
connect
Integrations,
and
so
when
this
new
JWT
Behavior
was
built,
they
kind
of
piggybacked
on
top
of
our
existing
oidc
logic,
and
they
were
like
okay,
we'll
just
use
like
the
signing
key
that
we
already
have
or
the
the
jwk
that
we
already
have
so
I
believe.
That
is
why
that
is
in
that
way.
C
A
Yeah,
because
this
is
the
same
key
that
we
are
using
for
encrypting
our
secrets
when
we
store
it
into
the
database
under
encrypted.
So
again,
that's
what
I
thought
so
I
just
deleted
random
call,
but
yeah
I'm
yeah.
This
I
become
a
helpless
person.
After
this
point.
C
Not
really
hand
rolling
it
because
you're
using
an
existing
library
in
our
code
base
but
you're.
Looking
at
the
code
and
saying
oh,
we
have
this
library
that
makes
makes
it
possible
to
make
it
to
do
T.
Let
me
see
if
I
can
create
one
which
might
be
the
route
you
end
up
going.
That
is
the
route
that
they
went
for
code
suggestions
because
they
didn't
want
to
use
oauth.
There
was
a
very
specific
reason
they
couldn't
use
oauth.
C
In
that
scenario,
I
can't
even
remember
what
it
is
at
this
point
if
you
did
want
to
piggyback
on
oauth.
This
would
be
a
lot
easier
because
we
already
have
the
ability
for
gitlab
to
be
an
oidc
provider.
So
somebody
goes
to
the
the
oauth
flow,
but
you
get
back
a
GWT
with
that
flow
and
that
JWT
includes
the
information
that
you
want.
C
C
You
know
investigate,
what's
broken
here
and
so
I
do
somewhere
have
like
very
beginner
friendly
instructions,
because
I
wrote
them
for
myself
on
how
to
set
up
oidc
plus
oauth
Advocate
lab
I
hope
that
I
put
that
in
the
documentation
somewhere,
but
I
I
might
not
have
so
anyways
I,
don't
want
to
spend
too
much
time
taking
for
that.
But
I
can
help
you
with
that.
After
this.
C
I
think
what
we
could
do,
if
you
wanted
to
just
figure
this
out
in
real
time
together,
is
we
could
follow
the
documentation
for
gitlab
as
an
open,
ID
connect
provider
and
try
to
set
it
up
either
with
your
GDK
or
with
just
you
know,
getlab.com
or
staging.getlab.com,
and
play
around
with
it
that
way.
I.
A
Already
have
an
oidc
set
up
because
over
here
right,
this
is
the
one
you're
talking
about
so
yeah.
The
reason
why
we
have
it
set
it
up
is
because,
like
I
was
mentioning
that
when
the
traffic
comes
to
gitler
Works
business
proxy,
it
will
first
authenticate
and
authorize
with
gitlab,
whether
it's
valid
or
not.
So
it
does
an
or3
director
to
gitlab,
and
so
what
we
do
is
when
setting
up
remote
development,
we
first
create
an
oauth
application
and
the
client
ID
and
the
client
secret
is
passed
to
gitlab.
A
C
Yeah
I
think
yeah,
we'll
have
to
see
if
you
can
I
can't
remember
which
attribute
you
have
to
set
in
order
for
an
oauth
app
to
request.
I
think
there
might
just
be
like
a
specific
scope.
You
need.
Oh,
it's
I
think
it's
profile,
yeah,
it's
a
profile.
You
already
have
that
and
open
ID
okay.
So
when
you
get
back
the
response
from
that
flow,
I
think
you
should
be
able
to
fill
out
the
JWT.
A
C
Can
you
rephrase
them
so
you're
saying
in
gitlab
workspaces
proxy?
You
would
have
the
oauth
access
token
in
JWT,
but
you
need
it
somewhere
else.
I.
A
It's
firstly
for
the
traffic
to
reach
over
here
the
works.
The
user
has
to
browse
the
URL
of
the
workspace
for
the
URL
to
be
available
to
the
user.
The
workspace
needs
to
be
running
in
a
running
state
for
it
to
win
a
running
State,
the
project
needs
to
be
cloned
or
the
project
needs
to
be
cloned.
We
need
a
token.
A
C
A
If
I
yeah,
so
maybe
in
the
rails
code
base
itself,
I
do
a
redirect
and
to
get
the
token
from
there,
like
as
part
of
my
code
base
right,
let
me
show
you
what
I
mean
by
that.
A
Over
here,
I'm
creating
a
personal
access
token
right,
I'm
thinking
should
I
just
Google
or
redirect
and
try
to
fetch
a
token
over
you.
Instead
of
creating
a
personal
access
token
that
should
work
right
technically.
D
A
Sense,
but
wouldn't
the
user
have
to
can
I
be
because
the
complication
like
if
gitlab
is
the
issuing
authority
I
think
we
can
still
work
around
with
it,
because
otherwise
user
needs
to
explicitly
authorize.
Okay,
you
can.
They
can
have
the
token
right,
but
if
someone
else
is
the
issuing
authority,
let's
say
GitHub
or
Google,
then
I
I.
Don't
think
that
would
be
that,
like
how
do.
C
No
I
think
you
are
being
clear:
I'm
I'm,
just
pausing,
because
I'm
thinking
about
how
we
would
do
that
I
mean
we
have
access
to
all
of
the
live.
The
oauth
library
code
in
the
rails,
like
we
are
the
identity
provider
and
get
lab
rails,
and
we
have
all
the
oauth
codes.
So
I
can't
think
of
a
reason
why
we
couldn't
just
generate
the
token
within
gilab
rails
and
like
give
it
to
ourselves
right.
D
Yeah
that
that's
kind
of
what
I'm
feeling
we're
the
ones
that
have
added
this,
what
we
can
call
it
like
wall
or
protection
or
or
a
kind
of
process
that
involves
kind
of
redirecting
and
authenticating
but
yeah,
it
seems
like
we
should
be
able
to
to
kind
of
just
skip
that
step
and
and
go
directly
to
the
the
bit
that
we
need.
C
D
C
Guessing
that
one
thing,
that's
probably
been
confusing
as
you've
looked
at
this
is
that
not
all
of
our
oauth
code
lives
in
our
code
base.
We
depend
on
a
lot
of
external
libraries,
for
our
authorization
and
authentication
code
and
I
find
that
really
confusing
and
I
work
on
it
every
day.
I'm
sure
it's
really
confusing.
If
you
don't
work
it
any
day,
even
more
so
like
like
what
needs
to
be
invoked
exactly
to
create
an
off
access.
Token,
like
we
can
do
that,
it's
just
a
matter
of
figuring
out
which
library
is
doing
it.
A
A
And
I'm,
looking
at
it
from
someone
who's
of
who's
like
who's,
mainly
working
code
right
on
it.
What
is
this?
What's
going
on,
I
have
no
idea
right.
I,
barely
I
I
can
only
understand
the
syntax
to
a
certain
extent,
after
that,
like
okay,
I
need
to
do
some
more
research
about
this
okay.
How
do
we
want
to
proceed
over
here?
Should
we
then
drop
that
oauth
idea
and
just
dig
into
the
trenches
of
is
issuing
the
token
directly
or.
C
C
I
guess
one
question
I
have
is:
how
do
we
know
that
we
trust
the
you
like?
How
do
we
know?
Which
user
is
making
a
request
to
trust
them?.
A
So
each
user
is,
has
a
one-to-one
mapping
with
I
I
mean
each
workspace,
has
a
one-to-one
mapping
with
a
user
each.
So
there's
a
one-to-one
mapping
between
a
workspace
under
user
one-to-one
mapping
between
the
workspace
and
the
project
from
which
that
workspace
was
created.
This
might
change
in
the
future,
but
we
have
a
one-to-one
mapping
over
there.
So
if
you
were
to
access
this
URL
right
now,
if
someone
were
to
access
this
URL,
they
will
not
be
able
to
get
it
because
what
happens
is
when
you
access
this
URL.
A
It
goes
from
here
to
the
load
balancer.
It
reaches
kubernetes
from
the
English
controller.
It
reaches
gitlab
workspace
proxy.
It
will
do
auth
redirect
it
will
get
back.
Okay,
it
will
authenticate
you
and
as
part
of
authorization
it
will
check.
Does
this
user
has
access
to
this
particular
workspace?
It
gets
the
name
of
this
workspace
from
the
URL
of
the
workspace
itself.
A
If
you
look
at
the
URL,
this
is
the
name
of
the
workspace
itself,
so
it
will
do
that
authorization
check
and
it
will
fail
over
there,
so
you
will
not
be
able
to
access
it.
So
if
any
traffic
that
is
coming
from
this
instance
will
be
from
the
user
itself
as
from
the
authenticated
user,
because
for
me
to
access
it,
I'm
first
authenticated
and
authorized
that
is
from
within
the
workspace
from
outside
the
workspace.
There's,
no
user
interaction
like
when
we
are
doing
that
project.
Cloning
right
that
happens
even
before
the
workspace
gets
started.
A
A
We
are,
we
are
a
difficult
time
trying
to
explain
what
remotable
event
is
when
we
are
trying
to
move
it.
We
if
you
were
like
we
are
those
people
who
are
like
building
this
conspiracy
theory.
We
are
connecting
10
dots
and
you
know
so.
Yeah
I.
C
Think
it's
good.
You
know.
I
was
actually
just
talking
to
a
friend
of
mine,
who
is
an
engineering
manager
at
GitHub,
and
you
may
already
know
this
because
you're
deep
in
this
problem,
she
told
me
that
GitHub,
you
can
only
do
remote
development,
so
engineers
at
GitHub
cannot
do
local
development
anymore.
This
has
been
true
for
several
years
now.
Remote
development
is
their
only
means
of
working
on
their
own
code
base.
I.
A
C
Yeah,
it's
well.
D
I
I
I
think
the
interestingly
one
of
my
chaos.
This
quarter
is
about
trying
to
start
I,
don't
know
what
the
word
is:
monitoring
GDK.
D
So
we
can
see
how
how
stable
how
reliable
Etc
is,
because
we
know
that
we
we
have
issues
with
TDK
and
a
lot
of
them
are
based
on
everyone
having
a
very,
very
subtly
different
development
environment.
You
know
I'm
on
Linux
you're,
a
Mac
Europe,
15.1
you're
on
15.3,
you've
got
rvm
installed,
you've
got
ASDF,
installed,
etc,
etc.
So
I
haven't
done.
My
team
has
been
working
tirelessly
on
getting
GDK
working
in
in
remote
development
workspaces.
D
So
you
may
have
already
had
a
conversations
with
Raymond
and
who's
making
great
progress.
We've
got
customers
who
have
got
hugely
hugely
locked
down
environments
that
can't
contribute
back
to
gitlab
because
they
they
they
can't
do
a
clone,
for
example,
from
gitlab.com
and
again
we
can
unblock
them
by
being
able
to
provide
them
remote
development,
workspaces
Etc.
So
it
does
solve
a
lot
of
problems
other
than
the
fact
that
we'll
have
a
head
of
a
lot
of
processing
power
on
our
desks.
That's
going
unused,
but
you
know
yeah.
D
A
A
D
A
This
is
yeah
exactly.
Oh,
so
I
think
this
is
a
coming
back
to
this
entire
JW
living
right
from
this
blog
energy
I
was
even
looking
at
it
yesterday.
This
is
the
class
that
they
are
using
to
the
CIA
GWT
two
tokens
version
two
and
if
I
look
at
this
I
think
this
is
using
the
identities
that
we
are
talking
about
right
like
because
we
are
ourselves
issuing
authorities
within
the
world.
They
are
probably
using
this.
A
Can
we
try
this
one
out?
The
only
catch
over
here
is
the
subject
over
here
is,
it
is
linked,
I
mean
scope
to
a
particular
project
and
that
particular
job,
but
I
want
it
to
be.
You
know,
scope
to
that
particular
user.
I
obviously
have
the
user
ID.
D
Yeah
that'd
be
nice,
that's
a
problem.
It
also
looks,
like
maybe
I
think
you
were
just
putting
the
user
ID
before
yeah,
whether
this
this
kind
of
hint
that
maybe
it
should
be
prefixed
in
such
a
way
that
we
know
that
it's
a
user
ID.
But
you
know
it.
It's
probably
not
overly
important
at
the
moment,
but
only.
A
Okay,
what
should
we
do
now?
Should
we
I
feel
like
I,
have
a
rambled
about
this
for
the
last
45
minutes.
D
Amazing,
it's
really
interesting
and
I
think
what
you're,
probably
envisioning
at
the
moment
and
I
probably
agree-
is
that
it's
going
to
take
you
a
while
to
do
some
poking
to
to
make
a
bit
of
progress,
but
it
might
be
something
that
you're
in
a
position
for
us
to
revisit
in
you
know
a
few
days
or
a
week
or
something
when
you've
made
a
bit
of
progress.
But
again
maybe
you're
you're
you've
hit
a
bit
of
a
wall
and
you
you
fancy
a
bit
more
pairing,
yep.
A
All
right,
at
least
I
have
a
part
for
like
I'll
try
to
like
what
Jesse
mentioned
within,
and
you
mentioned
like
within
the
wall
itself.
Can
we
use
the
issuing
classes
to
to
issue
a
j
oidc
token
itself,
but
without
going
through
that
entire
oauth
flow,
thanks
for
bearing
with
my
incomprehensible
rankings.
C
Yeah
and
I'll
try
to
I'll
take
it
as
my
homework
to
follow
up
with
you
on
sharing
the
oidc
setup.
I
think
the
one
I
set
up
was
a
little
different,
but
I
think
it
was
for
GitHub
as
an
identity
provider
using
oidc
and
I
was
very
explicit
in
my
instructions
to
myself
on
how
to
decode
the
JWT.
So
hopefully
I
can
help
you
with
that.
D
D
I
won't
yeah
I
if
I
need
to
in
a
minute.
I
will
I
have
far
too
much
stuff
opened.
D
Yeah,
if,
if
you
don't
mind,
I
popped
the
the
Mr
in
here,
so
if
you
go
to
to
the
overview,
you'll
have
to
find
the
relevant
discussion,
but
there's
one
probably
one
of
the
unresolved
ones.
Talking
about
this
one
here,
I
think
it
is
so
we've
got
a
test
which
is
essentially.
D
D
So
the
way
that
we
got
around
that
I
say
we
as
helping
someone
on
my
old
team.
Put
this
together
initially
was
to
hard
code,
the
date
as
just
a
date,
without
a
time
that
obviously
gets
rid
of
the
time
portion
and
means
that
there's
no
no
potential
for
any
kind
of
discrepancy.
D
The
opposite,
so
we
had
it
working,
but
the
reviewer
maintainer
weren't
overly
happy
with
the
hard-coded
date.
So
they
said.
Why
have
you
got
that
you
shouldn't
need
that,
remove
it
and
weirdly
it
worked
when
they
ran
the
test
in
their
environment,
but
it
didn't
work
in
our
environment
and
it
didn't
work
in
CI.
So
we've
now
come
up
with
another
solution.
If
you
want
to
check
the
changes
tab,
but
what
I'd
love
to
know
is
is
sort
of.
D
To
online
57
now
we
are
doing
a
contact.reload
and
that
fixed
it.
So
my
here's,
my
completely
Bonkers
Theory,
that's
probably
yeah
wildly
inaccurate,
but
my
belief
was
maybe
that
the
Precision
in
memory
of
a
timestamp
is
different
to
the
Precision
in
the
database
of
a
timestamp
and
therefore,
if
we
don't
do
the
Dot
reload
we're
using
the
in-memory
timestamp
to
compare
to.
If
we
do
the
reload
we're
actually
reloading
the
record,
that's
been
persisted
to
the
database
and
we've
got
the
the
same
timestamp,
but
tell
me:
has
anyone
experienced
this
problem
before?
D
D
B
I,
am
this
definitely
Rings
a
really
really
distant
Bell?
D
So
almost
like
you,
your
model
has
created
an
updated
timestamp,
but
the
database
actually
ignores
what
you
pass
in
and
just
uses
whatever
the
current
date.
B
So
I
think
I
think
the
model
probably
doesn't
send
the
time,
but
it
kind
of
like
to
Short
Circuit
having
to
reload
the
whole
model.
Again
it
just
says:
oh,
you
know
I'm
just
going
to
say
that
it's
now
and
then,
when
you
reload
again,
it
will
be
a
few
milliseconds
different,
because
the
database
in
the.
D
User,
so
that
makes
more
sense
than
my
theory
about
the
Precision
being
different,
which
I
couldn't
back
up
yeah.
The
only
the
only
thing
that
would
be
interesting
to
understand
here
is
in
this
test,
and
maybe
you
could
actually
open
up
the
the
the
test,
the
spec
itself,
that
issue
Builder
I.
Think
it's
see
this
one.
D
D
C
D
So
if
you
so
see
that
there's
an
expect
for
labels,
so
what
I'm
intrigued
by
is.
Why
is
that
not
throwing
the
same,
assuming
that
the
label
has
a
type
that
is
an
updated
stamp?
Maybe
we
could
check
that
in
the
rails,
console
or
or
something
quickly,
just
to
to
have
a
look
but
yeah
I,
I'm
I
was
perplexed.
Why
we
were
having
that
problem
with
the
contact
record,
but
the
label
record?
D
C
C
So
if
my
rails
console
wants
to
play
nicely
today,
the
other
thing
I
was
going
to
say.
I
just
pulled
up
this
issue.
I've
had
this
issue
Malcolm
brought
up
Ruby
versus
database
time.
I've
also
had
an
issue
where
the
CI
database
fails
on
a
test,
because
it
was
on
a
different
postgres
version
and
different
postgresh
versions
like
have
different
Precision
levels,
potentially
so.
C
Ci
postgres
versus
local
postgres,
which
could
explain
why
maybe
your
machine
has
a
different
postgres
version
from
the
reviewers
machine.
That's
an
idea
this!
This
recommends
not
using
timed
off
freeze
time
freezing
but
the
be
like
time
matcher,
which
is
looking
for
Less
Precision
than
equality.
So
that's
another
idea.
The.
D
B
D
Have
to
be
dry
well
yeah.
What
is
more
about
is
wanting
to
make
sure
that
the
test
fails
if
somebody
adds
add
something
without
having
to
update
the
test.
If
that
kind
of
makes
sense,
issue.first
I
found
head
labels
for
me,
I,
don't
know
whether
you'll
be
so
lucky.
C
C
D
No
I,
I
I
think
the
way
specifically
of
the
in
our
tests
we're
picking
an
issue
that
does
have
and
does
have
them,
but
this
just
confirms
that
we
definitely
have
a
created
that
and
updated
in
our
label
hook
catchers,
which
adds
to
my
confusion
as
to.
Why
would
that
pass
when
we're
comparing
the
label
her
catchers
to
the
label?
So
if
you
you
look
back
in
the
spec
again
we're.
C
D
So
you
can
see
like
line
56
and
57
are
pretty
much
identical
and
if
you
look
at
how
we
create
the
labels
and
how
we
create
the
contacts
again
we're
just
using
a
let
it
be
yeah.
So
that's
that's
what
I
was
really
struggling
with,
you
know
to
say
well,
what's
what's
different
and
the
only
difference
I
can
find
is
one
stored
in
the
database
with
time
zone
ones
without
so
I.
Don't
know
whether
it's.
A
B
Between
what
rail
sends
and
what
postgres
stores
I'm
just
reading
the
blog
post
here,
okay.
D
B
D
D
D
B
B
B
D
D
D
D
Way,
well,
it
won't
for
me
it
doesn't
get
pogged,
which
is
is
where
the
the
guy
in
mind
our
team
sort
of
been
working,
I,
see,
I,
see
and
in
CI
fails
as
well,
but
the
problem
is
I.
Don't
know
that
we
would
be
able
to
die
of
that
deep
under
the
hood
anyway
and
really
really
see
what
was
happening.
I
mean.
Maybe
you
can,
but
you
know,
I
mean
to
see
what's
happening
between
the
model
and
the
database
like
that.
That's
active
record
magic
there
right
so
yeah.
D
Just
well,
that's
that's
already
on
the
Mr
anyway.
So
that's
what
we
were
looking
at
a
minute
ago,
where
we
could
see
that
you
know.
There's
a
few
I,
don't
know:
okay,.
C
Okay,
well,
look
at
that.
It
sounds
like
you
have
volunteered
to
update
our
docs
on
time
zones
so.
D
I
look
forward
awesome.
Let
me
just
make
sure
I
didn't
close
the
window
with
that
link
that
Malcolm
shed
so
yeah.
It's
it's
really
just
that
that
bit
about
what's
the
difference
between
the
labels
and
the
contact,
the
only
way
I
can
think
of
of
being
figuring
this
out,
which
is
a
real
pain
in
the
backside,
but
would
be
to
write
a
local
migration
to
change
the
time
stamp
on
the
contacts
from
with
time
zone
to
without
time
zone
and
see.
D
If
that
then
fixes
it,
because
that
that's
the
only
difference
I
can
see
between
labels
and
contacts,
the
dates
stored
with
time
zone
for
one
and
without
the
other
yeah.
B
C
D
Which
was
essentially
our
coding
dates
without
time
solution,
but
sort
of.
Understandably,
it
got
flagged.
My
I
I
I
think
if
we
had
struggled
any
further
I
would
have
said
well,
let's,
let's
not
our
community
contributors
problem
like
let's
get
it
merged,
and
then
someone
can
follow
up
on
that,
because
this
is,
you
know
way
above
even
my
pay
grade
that
Learners.
So
but
it's
interesting
awesome,
no
Wicked!
Thanks
all
for
indulging
me
and
yeah
I'll
feed
back.