►
Description
What we need:
- Introduce the idea of instance level authentication
- An authenticated connection between a GitLab instance and GitLab.com
- GitLab instances are responsible for user-level authentication
- GitLab.com is responsible for instance-level authentication
A
So
apparently
the
situation
is
that
we
recommend
ourselves
manage
customers
to
use
really
ugly
and
hacky
workaround,
and
that
is
that
we
ask
each
self-managed
user
to
create
a.com
personal
access
token
in
order
to
authenticate
them
and
get
them
access.
So
the
idea
that
we
are
currently
like
trying
to
figure
out
is
first
like
the
short
term
goal
is
to
support
some
way
to
sell
to
allow
self-matched
customers
to
authenticate
and
against
gitlab.com,
and
we
can
use
then
gitlab.com
as
a
proxy
to
access
our
AI
features.
So
there
are
actually
two
topics.
A
First,
is
to
like
authenticate
the
instance
itself,
or
maybe
it
is
an
organizational
level,
because
I
I
saw
that
we
are
now
like
within
sales
effort.
Introducing
the
organization
as
well
I'm
not
fully
familiar
like
what
this
means,
but
like
the
first
topic
is
to
allow
authentication
between
the
instance
itself
and
gitlab.com,
and
the
second
topic
would
be.
A
We
will
discuss
the
only
first
one
authentification
like
when
we
do
a
proxy,
how
we
authenticate
users
and
proceed
with
like
user
proxing
gitlab.com
at
gitlab.com,
sending
the
requests
to
Ai
and
returning
back
the
response
and
well
I
I
guess
it
really
depends
on
the
solution
we
choose.
So
I
already
asked
on
the
slack
Channel
like
for
some
ideas,
but
I
would
first
would
like
to
hear
where
we
are
with
the
like.
The
long-term
solution.
A
A
Should
we
like
try
to
find
a
workaround
until
this
is
done,
or
we
expect
this
to
be
completed
in
foreseeable
foreseeable
future
and
how
this
related
to
these
sales
and
organization
efforts,
and
in
case
that
we
choose
the
workaround
solution
like
using
open,
ID
or
something
similar
like?
Should
we
considered
like
moving
to
service
accounts
in
the
near
future?
I
guess.
B
C
D
E
I
I
was
I
was
just
wondering:
could
you
expand
a
bit
more
on,
so
is
the
service
account?
Does
it
behave
like
a
user?
Basically,
from
the
perspective
of
the
Rails
app
I
mean?
Does
it
have
permissions
tied
to
it?
Do
they
expire
and
do
you
do
you
then
generate
generate
tokens
per
service
account
or
like
if
we
want?
B
A
Yeah,
that's
a
great
question.
I'm,
not
sure
about
the
billing.
I
saw
some
issue
where
there
is
a
discussion
between
those
two
models.
I
think
that
first
iteration
iteration
will
take
billing
as
a
flat
service
and
not
like
usage
based,
but
this
is
not
something
that
I
can
guarantee
that
it
will
stay
and
I'm
not
fully
familiar.
A
So
this
is
just
an
open
discussion
and
it
seems
that,
because
it's
easier
to
iterate
with
the
first
approach,
I
think
this
is
the
approach
that
we
will
take,
but
this
doesn't
mean
that
in
the
future
we
will
not
have
usage
per
user
and,
like
billing
per
user
has
to
say,
but
but
for
this
iteration
and
maybe
future
work.
Maybe
this
is
something
that
we
need
to
ask
an
address,
but
my
understanding
was
that
all
monitoring
and.
D
A
D
E
E
Right,
so
so
is
this
to
integrate
the
third
party
service
with
gitlab
says
when
I'm
a
group
admin,
for
instance
on
gitlab,
says
and
I
want
this
service
account
to
act
on
behalf
of
this
third-party
servers
for
everyone
within
my
group,
for
example,
is
that
a
wait?
Okay
got
it
I
think
the
interesting
bit
with
that
one.
It's
like
okay,
so
I
think
the
interesting
bit
with
our
use
case
is
that
we're
talking
about
gitlab
gitlab
integration
right,
so
it
took
me
a
while
to
wrap
my
head
around
like
so.
D
E
Have
a
service
account
I
guess
so,
let's
assume
I'm
a
gitlab
self-managed
customer
and
I
spit
up
my
own
gitlab
right,
so
what
I
would
do
is
and
then
we
have
two
gitlabs
right.
So
we
have
mine
and
we
have
Caleb
says
so
as
an
admin
of
my
instance.
I
would
then
go
ahead
and
do
what
exactly
would
I
would
I
create
a
service
account
and
gitlab
says
instead
of
a
personal
access
token
on
and
this
service
account
token
I
guess
would
I
would
then
use
on
my
also.
E
So
I
I
think
we're
like
one
step
removed
from
the
original
use
case
that
you
described
so
I'm,
just
wondering
how
how
that
would
even
carry
over
because
I
think
we
need
some
there's
some
kind
of
like
stateful
there's
like
state
to
this
whole
handshake
on,
like
both
sides,
gitlab
says
and
and
the
self-managed
instance.
So
I
wonder
if
that
would
actually
be
covered
in
the
current
model.
B
Yep
exactly
I
I
have
that
question
as
well,
because
you
know
it
is
each
self-managed
instance
going
to
create
a
group
on
gitlab.com
and
then
do
they
need
a
subscription,
for
that
too,
are
we
going
to
give
them
some
sort
of
deal
there
because
they're
actually
using
self-managed,
and
they
only
need
gitlab.com
for
this?
This
proxy
I'm
not
sure.
E
I
I,
okay,
that
that's
fair
enough
I
think
we
can
maybe
put
a
pin
in
that
question,
we're
very
much
exploring
right
Solutions
here.
It's
totally
fine
I
think
it's
just
good
to
talk
about
all
these
options
and
see
like
where
there
might
be
obstacles
of
where
it
might
be
easy
or
hard,
but
yeah.
So,
okay,
I
think.
So
what
are
the
other
options?
E
That
would
be
better
because
the
individual
end
user
of
a
self-managed
instance
does
not
have
to
go
to
sales
and
do
that
right.
So
only
the
self-managed
admin
would
have
to
do
that.
So
maybe
that's
good
enough,
but
just
to
explore
other
options.
I
think
there
was
something
else
being
mentioned.
Actually
was
at
the
point
you
touched
on
earlier
Nikola,
the
yeah.
A
B
A
From
this
as
a
priority
because
of
the
organization
modeling
that
like
is
currently
introduced,
because
this
film
little
change
like
our
top
level
organizational
structure
like
we
don't
have
organization
and
then
below,
we
will
have
groups
and
products
Etc.
So
I
think
that
Alex
poorly
commented
that
in
case
of
sales,
we
will
have
multiple
organizations,
but
in
case
of
self-matched,
customers
actually
will
have
only
single
organization.
A
So
if
we
use
service
account
on
the
organizational
level,
then
like
this
is
not
a
user
and
it
represents
actually
the
instance
that
we
need.
So
when
you
create
an
organization
on
the,
but
there
are
also
open
version.
If
you
have
a
group
organization
with
specific
permissions
on
SAS-
and
you
have
the
same
group
on
your
local
environment,
which
one
will
be
used
or
whatever,
but
it's
not
something
that
I
fully
wrap
around
my
head.
A
So
the
open
question
related
to
service
accounts
is
like
how
we
will
manage
like
permissions
and
like
billing,
because
I
guess
the
self-match
admin
don't
need
to
create
a
group
and
probably
pay
for
AI
feature
or
something.
So
we
will
need
to
move
it
and
give
him
some
license
or
whatever
we
do
with
open
eye
stuff
or
other
things
that
this
instance
should
be
approved
to
use
and
I
guess
there
are
limits
as
well
configured
there.
E
E
E
So
so
so
there's
this
concept
of
a
service
account
which
essentially,
we
can
think
about
that
as
a
user.
Let's
say:
let's
call
it
the
Headless
user
right
so
yeah
is
that
connected
to
a
token
and
how
would
I?
How
would
I
manage
this,
and
how
does
the
authentication
flow
actually
look
like
and
how
does
it
relate
to
oidc.
B
Or
service
accounts
each
account
can
have
one
or
more
tokens,
essentially
personal
access
tokens
and
then
that's
basically
simple
off
essentially
password
off,
then
that
you
can
use
with
the
API
versus
oidc,
which
is
oauth
and
it's
per
user
per
user
end
user.
So
the
the
problem
with
that
I
think
in
the
in
the
case
that
we're
talking
about
here
is
every
single
user
on
that
self-managed
instance
would
have
to
authorize
their
account
and
then
the
integration
would
be
operating
as
each
individual
user,
foreign.
E
It's
fine
that
a
user!
Let's
take
the
example,
the
specific
example
of
code
suggestions
right
so
I'm
an
end
user
of
a
self-managed
instance.
You
know
an
employer
at
some
company
that
uses
gitlab
and
I
want
to
hook
that
into
up
into
my
IDE,
so
I
connect
the
self-managed
instance
API
endpoint
for
code
suggestions
into
my
IDE
and
I
use
that
using
a
do
I
do
that
using
a
personal
access
token
issued
from
the
self-managed
instance
right.
That's
like
the
normal
user
flow.
E
We
would
also
that's
what
you
would
do
as
well,
if
you
were
to
just
use
zest
directly
right
so
yeah.
So
as
far
as
that
goes,
but
that's
only
like
the
first
leg
of
the
of
the
authentication
Journey,
basically
right.
So
then
my
IDE
sends
a
request
with
a
pat
to
the
self-managed
instance
and
then,
and
that's
the
bit
like
where
we
probably
have
to
build
something
from
scratch
that
that
selfish
instance
would
then
have
to
detect
okay.
This
is
like
a
proxied
endpoint
and
I
I.
E
First,
first
I
authenticate
the
user
with
the
pit
like
standard
stuff
and
and
if
that
checks
out,
I
basically
have
like
a
pre-authenticated
request.
So
this
instance
can
then
make
a
request
on
behalf
of
the
user,
but
using
these
credentials
right
using
the
service
account,
and
that
then
goes
to
get
that
says
right.
So
so
that's
how
I
guess
we
had
imagined
it
to
work
so,
but
we
would
still
have
to
then
yeah
make
it
transfer
completely
transparent
to
the
end
user.
E
B
E
E
A
Because
so,
basically,
like
we
mentioned
before,
we
should
consider
the
self-match
instance
as
something
that
have
I
know
billing
flat
billing
and
it
has
its
own
permission
to
access.
You
know
open
AI
features
and
probably
has
some
specific
rate
limiting
related
to
the
instance
level
so
like
it
can
request,
200
requests
daily
or
something
like
that,
so
not
user,
specific
limits
or
whatever.
So
when
we
create
a
token
or
authenticate
this
instance,
everything
that
is
related
to
this
gitlab
SAS
is
based
on
authorization
and
authentication
related
to
that
instance.
A
So
we
don't
care
about
their
users.
So
how
we
imagine
this
will
work.
Is
we
don't
like
the
bottom
line
of
the
solution?
That
we
need
is
that
their
users
shouldn't
be
aware
of
any
handshakes
between
self-managed
instance
and
gitlab.com,
so
admins
self-match
admins
can
do
like
one-time
handshake
and
do
a
configuration,
create
groups,
ask
our
admins
to
give
them
license
or
whatever
is
needed
once
it's
configured
and
we
get
a
token
or
whatever
it
is.
A
When
user
is
trying
to
access
some
URL,
that
is
proxy
Netflix
for
some
API
call
like
it's
called
suggestions,
AI
or
something
else.
We
should
authenticate
that
user
on
the
self-manage
level,
like
they
will
authenticate
users
like
and
if
everything
checks
out,
they
will
send
a
token
for
that
instance
to
the
gitlab.com
and
then
gitla.com
will
just
authenticate
that
service
account,
or
instance,
level
token
or
whatever
check
permissions.
E
Via
this
mechanism,
they
might
run
into
tighter
limits
right
before
they
exhaust
their
own
quota,
which
might
lead
to
weird
user
experience,
but
maybe
for
an
MVC.
It's
not
that
important.
They
would
basically
have
to
take
that
problem
to
their
admin
right.
Whoever
runs
that
instance
to
make
sure
that
this
is
all
that's
all.
A
It
works
out,
I
guess
for
first
few
iteration
I
already
saw
some
discussion
related
to
this,
like
it
should
be
here,
probably
similarly
to
lecture
GPT.
You
will
get
a
message
like
system
is
currently
like
busy
weight,
and
if
you
pay
extra
money
for
super
access
in
the
future,
we
will
handle
it
that
you
have
a
priority
or,
depending
on
the
plan
that
you
are,
but
this
is
related
more
to
the
open,
AI
features
and
their
integration.
A
But
I
guess
this
currently
should
be
fine,
especially
if
you
are
talking,
on
instance,
level
rate
limits
or
everything
else.
So
I
guess
like
if
we
are
looking
for
a
solution.
The
first
priority
is
that
ends
users
or
self-managed
customer
shouldn't
be
involved
in
any
configuration,
integration
and
Etc,
and
the
second
one
is.
We
should
look
it
as
like.
We
need
to
double
check
and
confirm,
but
I
guess,
like
it's
a
flat
level,
like
all
the
permissions
and
like
limits
are
set
to
the
instance
level
and
instance,
will
handle
I.
A
C
B
Yeah,
that's
something
we
might
have
to
think
about
on
the
getlab.com
level,
though,
because
we
might
need
a
larger
rate
limit
for
the
for
whatever
particular
proxy
endpoints,
but
also
I'd,
say
in
general,
most
self-managed
instances
don't
have
rate
limiting
some
number
of
years
ago.
We
disabled
that
by
default
in
Omnibus,
now
I
think
that
you
all
are
also
talking
about
gitlab
dedicated,
which
that
I
can't
speak
to
you
know
we.
E
E
Yeah
and
I
think
for
the
embassy.
It
sounds
like
it's
okay
to
ignore
that
I
think
it
was
Dylan
who
responded
as
well
that,
for
instance,
it's
now
kind
of
it's
an
opt-in
thing
anyway.
So,
if
you
don't
want,
like
your
data,
you
know
to
penetrate
all
these
different
boundaries,
then
just
don't
use
the
feature
and.
A
E
Is
this
like,
under
your
team's
purview
as
well
or
I'm,
still
trying
to
what
I
still
don't
understand,
is
even
with
these
service
accounts
in
place
like
where
would
I
actually
as
an
as
as
a
self-managed
instance?
Where
would
I
actually
connect
gitlab
says?
Is
that
called
an
integration
and-
or
you
know,
would
that
appear
on
this
page
or
how
does
that
all
fit
together?.
B
A
Well,
just
to
summarize
Matthias
previous
question
so,
if
instance,
like
these
service
accounts
in
case
of
service
accounts,
is
it
going
to
work
like
the
way
we
described
without
authenticating
each
user?
Like?
Can
we
just
proxy
the
token
that
we
store
somewhere
once
the
service
account
is
created
without
like
additional
hustle,
with
asking
each
separate
self-managed
user
to
go
through
process
of
like
because.
B
A
So
basically,
service,
like
self-made
admin,
will
go,
create
somewhere
like
some
group
and
create
service
accounts
get
token,
and
then
we
will
need
to
store
that
token
to
the
self-managed,
and
there
is
additional
confession
like
who
will
put
that
admin
in
some
group
and
give
him
a
license
or
whatever
but
yeah.
We
will
then
get
a
token
and
we
will
store
that
talk
in
somewhere
and
we
will
need
a
place
on
UI
there,
where
we
will
allow
that
admin
to
do
all
those
stuff
or
connect
this
token
with
their
own
instance
or
whatever
right
right.
B
Yeah
I
think
you
know
longer
term.
We
need
to
talk
more
about.
Where
does
this
service
account
get
created?
You
know,
is
it?
Is
it
a
group
or
do
we
do
something
at
the
instance
level?
Maybe
there's
an
API
between
the
the
customers
app
or
whatever
it
is
we
use
for
subscriptions
now,
where
you
know
when
we
have
an
ultimate
customer?
We
generate
that
token.
That
service
account
automatically
and
present
that
token.
There
ideas
well.
A
B
A
Right,
thank
you,
okay,
and
until
the
service
accounts
are
like,
can
we
use
the
service
accounts
without
UI
builds
like
at
the
moment,
or
we
should
like
continue
talking
about
the
proposed
workaround
solution.
That
is
a
little
bit
hacky,
but
still
would
do
more
or
less
the
same
thing
using
open,
ID
protocol.
D
E
Sounds
great,
Nikola
I
think
we
don't
need
to
be
blocked
on
this
right
now,
though,
I
think
we
can
just
for
now.
I
know,
that's
not
ideal,
but
just
to
I
would
like
to
have
a
POC
like
as
soon
as
possible,
like
just
something
working,
even
if
it's
not
ideal
and
for
this
I
think
we
can
just
assume
for
now
that
a
self-managed
incident
that
admin
would
just
create
would
just
use
it
normal
Pats.
E
So
they
would
use
their
personal
access
token,
because
that
would
unblock
a
lot
of
this
work
already,
because
we
could,
just
because
whatever
token
or
mechanism
is
used
for
authentication
at
the
end
of
the
day,
there's
still
a
lot
of
stuff.
That
will
remain
the
same,
such
as,
like
you
know.
How
do
you
even
set
up
this
integration.
B
D
B
You
can
you
can
definitely
use
a
personal
access
token
today
and
it's
going
to
be
functionally
equivalent.
I
think
there
is
going
to
have
to
be
development
on
on
both
sides,
though
something
to
configure
on
the
self-managed
side,
but
then
something
to
connect
because,
like
I
said,
a
service
account
is
not
going
to
implicitly
have
any
permission
to
use
these
AI
services.
B
A
E
Well,
I
think
yeah
that
I
guess
that's
the
yeah,
that's
kind
of
the
the
big
question
we
still
need
to
solve
right,
I
think
we
might
have
to
talk
to
a
different
team
as
well
Nikola,
because
so
you,
if
you
once
you,
create
your
service,
account
cool.
Then
that
exists
from
the
perspective
of
says,
and
it
says
something
like:
okay,
here's
a
token
or
whatever,
and
but
then
then
what
right?
So
you
still
you.
E
D
A
I
can
I
I
guess
similar
to
the
proposed
like
alternative
solution.
We
can
do
it
two
ways
like
that.
You
entered
the
URL
of
your
submers
user
and
but
then,
like
some
synchronization
will
happen,
or
vice
versa,
like
in
you
configure
on
yourself
match
customers
that
you
will.
We
will
need
some
API
to
return
you
that
token
or
something
but.