-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for CircleCI tokens #591
Comments
CC @nsmith5 |
@zalimeni I see on the Circle roadmap that API tokens getting auto injected into builds will be a think in the future. Is there any chance that these tokens will be usable to grab OIDC tokens with custom claims. IIRC this is how it works in Github actions. There is a token with a default |
They shipped. so can this be added soon ? |
No, they don't support customizable 'aud' yet afaik so we can't support in
Fulcio yet. See the attached feature request in canny for details
…On Fri, Aug 19, 2022, 8:01 PM François Proulx ***@***.***> wrote:
They shipped. so can this be added soon ?
—
Reply to this email directly, view it on GitHub
<#591 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AC4X2GMA6UHPXBK3VEGVZX3V2BC7PANCNFSM5WGKETSA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
This work is now planned at CircleCI https://circleci.canny.io/cloud-feature-requests/p/customizable-audience-claim-in-oidc-tokens |
@MarshallOfSound Still marked as "planned" on Canny as it has been for a while... In any case, we use https://pkg.go.dev/github.com/coreos/go-oidc/v3/oidc#IDTokenVerifier.Verify to verify token which should be conformant to the OIDC Spec From the spec section 3.1.3.7. ID Token Validation:
So my assumption is that additional audiences will be rejected. Though when you look at the actually implementation, it seems to ignore additional audiences if it finds the the right one at least. https://github.com/coreos/go-oidc/blob/v3.5.0/oidc/verify.go#L264 Soooo yeah this will work, but I'd caution CircleCI folks from implementing this way has it appears to be outside of OIDC conformance and still has the same security flaws as a fixed audience. If you can only add more and more audience claims the tokens still can't be narrowly scoped to a client basically.. |
@nsmith5 There's definitely movement happening behind the scenes, I'm just trying to make sure that what's being done will be workable / supported by fulcio as that is the main reason we're pushing for customizable audience claims on CircleCI. Sounds like the array-of-audiences approach although technically will work should probably not work in the future 😅 Thanks for the reference, super helpful 👍 |
😆 Yeah I'm honestly tempted to patch the OIDC library to be closer to the spec. I've you've got an leverage as a customer with them and can push them in a particular way, I'd definitely advise them towards making the implementation as close to the OIDC spec as possible. Better security IMO |
CircleCI has just added customizable audience claims in OIDC tokens =) https://circleci.com/docs/api/v2/index.html#tag/OIDC-Token-Management |
Fantastic! Next step would be to update the OID doc to map claims in the CircleCI identity token to the extensions in Fulcio certs. |
@jerdog I'm a little tentative about accepting tokens from CircleCI. Unfortunately the implementation only allows adding audiences to the one token issued per-build. If someone configures more than one client / audience in their build it would be clear to Fulcio whether or not the token has come from the pipeline or the other audience / client. I'll copy my example from the Canny here:
The design makes is a bit more likely that Fulcio could issue code signing certificates to the wrong client and that is a concern to me. This isn't just a concern for Sigstore, but rather all OIDC clients consuming CircleCI tokens with a list of audiences and is very similar to the original security concern described in the canny issue -- A single hard coded audience has the same security properties that a list of many audiences on one token has. |
I'll pass this on @nsmith5 |
I've passed this on too, this design is actually why I was asked my questions a few weeks ago 😄 Hopefully we get the ability soon to generate multiple per-audience tokens so we can get this ball moving |
Hi! I'm Nathan from CircleCI. We're just starting to roll out the ability to configure the export SIG_TOKEN=$(circleci run oidc get --claims '{"aud": "sigstore"}') All the other claims are as per the $CIRCLE_OIDC_TOKEN_V2. We don't allow any other customization with this mechanism besides the "aud" claim. Just checking in to see what next steps might look like for getting CircleCI set up as a supported identity provider. I see from Mapping OIDC token claims to Fulcio OIDs there are a number of claims that can map to cert extensions for code signing. We don't currently supply all of these data points in our tokens so I'm guessing we'd be looking at expanding our support for code signing after becoming an IDP, as a follow up? |
This is indeed officially documented in CircleCI's documentation https://circleci.com/docs/oidc-tokens-with-custom-claims/ So what's next? Add it to Fulcio, then in |
Yep, if you take a look at the CodeFresh PR, that’s what you’ll need to do. Add the code and map as many token claims to extensions. |
Description
Similar to #243, CircleCI supports OIDC tokens: https://circleci.com/docs/2.0/openid-connect-tokens/
Also similar to #243, theTheaud
is not customizable: https://circleci.canny.io/cloud-feature-requests/p/customizable-audience-claim-in-oidc-tokensaud
is now customizable: https://circleci.com/docs/oidc-tokens-with-custom-claims/The text was updated successfully, but these errors were encountered: