Add user_identities to JWTs used by CI/CD jobs

Problem statement

As an instance administrator, I want to ensure that shared GitLab runners are only used by users who have permission to execute on them.

Proposed solution

Add a user_identities field to JWT V2 payloads when the GitLab instance is configured to do so. The user_identities field will contain the first 5 identities stored for the user. In FOSS, each user identity in the payload will have the structure:

{ 
  "extern_uid": "1",
  "provider": "gitlab"
}

In EE, each user identity will additionally have a secondary_extern_uid field:

{ 
  "extern_uid": "1",
  "provider": "gitlab",
  "secondary_extern_uid": "1A"
}

The presence of the user_identities field in the JWT V2 payload will be determined by a toggle at the instance level. The toggle will default to false, meaning the user_identities field will not be present by default. The toggle value will be update-able via an API endpoint which instance administrators have permission to use.

Implementation table

Title	MR Link	Done?
Add toggle for enabling `user_identities` to database/models	!108477 (merged)	✅
Add `user_identities` field to `JwtV2`	!117541 (merged)	✅
Add API for changing the toggle	!117874 (merged)	✅
Document the new field	!118231 (merged)	✅

Edited May 17, 2023 by Mark Nuzzo