1 files changed, 15 insertions, 5 deletions

diff --git a/app/services/auth/dependency_proxy_authentication_service.rb b/app/services/auth/dependency_proxy_authentication_service.rb
index fab42e0ebb6..164594d6f6c 100644
--- a/app/services/auth/dependency_proxy_authentication_service.rb
+++ b/app/services/auth/dependency_proxy_authentication_service.rb
@@ -8,10 +8,7 @@ module Auth
 
     def execute(authentication_abilities:)
       return error('dependency proxy not enabled', 404) unless ::Gitlab.config.dependency_proxy.enabled
-
-      # Because app/controllers/concerns/dependency_proxy/auth.rb consumes this
-      # JWT only as `User.find`, we currently only allow User (not DeployToken, etc)
-      return error('access forbidden', 403) unless current_user.is_a?(User)
+      return error('access forbidden', 403) unless valid_user_actor?
 
       { token: authorized_token.encoded }
     end
@@ -36,11 +33,24 @@ module Auth
 
     private
 
+    def valid_user_actor?
+      current_user || valid_deploy_token?
+    end
+
+    def valid_deploy_token?
+      deploy_token && deploy_token.valid_for_dependency_proxy?
+    end
+
     def authorized_token
       JSONWebToken::HMACToken.new(self.class.secret).tap do |token|
-        token['user_id'] = current_user.id
+        token['user_id'] = current_user.id if current_user
+        token['deploy_token'] = deploy_token.token if deploy_token
         token.expire_time = self.class.token_expire_at
       end
     end
+
+    def deploy_token
+      params[:deploy_token]
+    end
   end
 end