Added feature flag to not use the /-/jwks endpoint

app/controllers/jwks_controller.rb

 # frozen_string_literal: true
 
 class JwksController < Doorkeeper::OpenidConnect::DiscoveryController
+  # To be removed soon
   def index
-    expires_in 24.hours, public: true, must_revalidate: true, 'no-transform': true
-
-    render json: { keys: payload }
+    if Feature.enabled?(:remove_jwks_endpoint)
+      render status: :not_found
+    else
+      keys
+    end
   end
 
   def keys
-    index
+    expires_in 24.hours, public: true, must_revalidate: true, 'no-transform': true
+
+    render json: { keys: payload }
   end
 
   private

config/feature_flags/gitlab_com_derisk/remove_jwks_endpoint.yml

+---
+name: remove_jwks_endpoint
+feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/221031
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147389
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/450775
+milestone: '17.0'
+group: group::pipeline security
+type: gitlab_com_derisk
+default_enabled: false

spec/requests/jwks_controller_spec.rb

@@ -26,41 +26,56 @@
       stub_application_setting(ci_jwt_signing_key: ci_jwt_signing_key.to_s)
     end
 
-    it 'returns signing keys used to sign CI_JOB_JWT' do
-      get jwks_url
+    context 'when feature flag-remove_jwks_endpoint is enabled' do
+      it 'returns 404 when feature flag is enabled' do
+        get jwks_url
 
-      expect(response).to have_gitlab_http_status(:ok)
-
-      ids = json_response['keys'].map { |jwk| jwk['kid'] }
-      expect(ids).to contain_exactly(ci_jwk['kid'], oidc_jwk['kid'])
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
     end
 
-    it 'includes the OIDC signing key ID' do
-      get jwks_url
+    context 'when feature flag-remove_jwks_endpoint is disabled' do
+      before do
+        stub_feature_flags(remove_jwks_endpoint: false)
+      end
 
-      expect(response).to have_gitlab_http_status(:ok)
+      it 'returns signing keys used to sign CI_JOB_JWT' do
+        get jwks_url
 
-      ids = json_response['keys'].map { |jwk| jwk['kid'] }
-      expect(ids).to include(Doorkeeper::OpenidConnect.signing_key_normalized.symbolize_keys[:kid])
-    end
+        expect(response).to have_gitlab_http_status(:ok)
+
+        ids = json_response['keys'].map { |jwk| jwk['kid'] }
+        expect(ids).to contain_exactly(ci_jwk['kid'], oidc_jwk['kid'])
+      end
 
-    it 'does not leak private key data' do
-      get jwks_url
+      it 'includes the OIDC signing key ID' do
+        get jwks_url
 
-      aggregate_failures do
-        json_response['keys'].each do |jwk|
-          expect(jwk.keys).to contain_exactly('kty', 'kid', 'e', 'n', 'use', 'alg')
-          expect(jwk['use']).to eq('sig')
-          expect(jwk['alg']).to eq('RS256')
+        expect(response).to have_gitlab_http_status(:ok)
+
+        ids = json_response['keys'].map { |jwk| jwk['kid'] }
+        expect(ids).to include(Doorkeeper::OpenidConnect.signing_key_normalized.symbolize_keys[:kid])
+      end
+
+      it 'does not leak private key data' do
+        get jwks_url
+
+        aggregate_failures do
+          json_response['keys'].each do |jwk|
+            expect(jwk.keys).to contain_exactly('kty', 'kid', 'e', 'n', 'use', 'alg')
+            expect(jwk['use']).to eq('sig')
+            expect(jwk['alg']).to eq('RS256')
+          end
         end
       end
-    end
 
-    it 'has cache control header' do
-      get jwks_url
+      it 'has cache control header' do
+        get jwks_url
 
-      expect(response).to have_gitlab_http_status(:ok)
-      expect(response.headers['Cache-Control']).to include('max-age=86400', 'public', 'must-revalidate', 'no-transform')
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(response.headers['Cache-Control']).to include('max-age=86400', 'public', 'must-revalidate',
+          'no-transform')
+      end
     end
   end
 end