-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC enhancement: Support for additional OIDC subjects #398
Comments
I'm curious how 'noreply' email addresses would fit into this, e.g. GitHub's |
Good question! Some initial thoughts:
We will allow the configuration key to contain a subdomain, and For
Just that it's unique, not routable. This just provides a way for IDPs that only issue tokens for usernames to get domain-scoped certificates. |
Beginning work on this. |
Implementing the first part of sigstore#398, which adds support for subjects in OIDC tokens that are URIs. The implementation is very similar to SPIFFE-based tokens. Tokens must conform to the following: * The issuer of the token must partially match the domain in the configuration. This means that the scheme, top level domain, and second level domain must match. It is also expected that we validate that the requester who adds the configuration for the issuer has control over both the issuer and domain configuration fields (ACME). * The domain of the configuration and hostname of the subject of the token must match exactly. Slightly reworked the API test to test this issuer type. I'll follow up in a later PR with some more refactoring around this class, I think we can exercise the codepaths for all issuers. Signed-off-by: Hayden Blauzvern <[email protected]>
Implementing the first part of sigstore#398, which adds support for subjects in OIDC tokens that are URIs. The implementation is very similar to SPIFFE-based tokens. Tokens must conform to the following: * The issuer of the token must partially match the domain in the configuration. This means that the scheme, top level domain, and second level domain must match. It is also expected that we validate that the requester who adds the configuration for the issuer has control over both the issuer and domain configuration fields (ACME). * The domain of the configuration and hostname of the subject of the token must match exactly. Slightly reworked the API test to test this issuer type. I'll follow up in a later PR with some more refactoring around this class, I think we can exercise the codepaths for all issuers. Signed-off-by: Hayden Blauzvern <[email protected]>
Implementing the first part of sigstore#398, which adds support for subjects in OIDC tokens that are URIs. The implementation is very similar to SPIFFE-based tokens. Tokens must conform to the following: * The issuer of the token must partially match the domain in the configuration. This means that the scheme, top level domain, and second level domain must match. It is also expected that we validate that the requester who adds the configuration for the issuer has control over both the issuer and domain configuration fields (ACME). * The domain of the configuration and hostname of the subject of the token must match exactly. Slightly reworked the API test to test this issuer type. I'll follow up in a later PR with some more refactoring around this class, I think we can exercise the codepaths for all issuers. Signed-off-by: Hayden Blauzvern <[email protected]>
This implements the second part of sigstore#398, adding support for OIDC subjects that are simply usernames. A configured domain will be appended to the username and included as a SAN email address. Like sigstore#455, token issuers must partially match the configured domain. The top level and second level domain must match, and it's expected that we validate ownership for what's configured in the issuer and domain fields. Signed-off-by: Hayden Blauzvern <[email protected]>
* Add URI OIDC type to support URI subjects Implementing the first part of #398, which adds support for subjects in OIDC tokens that are URIs. The implementation is very similar to SPIFFE-based tokens. Tokens must conform to the following: * The issuer of the token must partially match the domain in the configuration. This means that the scheme, top level domain, and second level domain must match. It is also expected that we validate that the requester who adds the configuration for the issuer has control over both the issuer and domain configuration fields (ACME). * The domain of the configuration and hostname of the subject of the token must match exactly. Slightly reworked the API test to test this issuer type. I'll follow up in a later PR with some more refactoring around this class, I think we can exercise the codepaths for all issuers. Signed-off-by: Hayden Blauzvern <[email protected]> * Style changes based on comments Signed-off-by: Hayden Blauzvern <[email protected]>
Implementing the first part of sigstore#398, which adds support for subjects in OIDC tokens that are URIs. The implementation is very similar to SPIFFE-based tokens. Tokens must conform to the following: * The issuer of the token must partially match the domain in the configuration. This means that the scheme, top level domain, and second level domain must match. It is also expected that we validate that the requester who adds the configuration for the issuer has control over both the issuer and domain configuration fields (ACME). * The domain of the configuration and hostname of the subject of the token must match exactly. Slightly reworked the API test to test this issuer type. I'll follow up in a later PR with some more refactoring around this class, I think we can exercise the codepaths for all issuers. Signed-off-by: Hayden Blauzvern <[email protected]>
This implements the second part of sigstore#398, adding support for OIDC subjects that are simply usernames. A configured domain will be appended to the username and included as a SAN email address. Like sigstore#455, token issuers must partially match the configured domain. The top level and second level domain must match, and it's expected that we validate ownership for what's configured in the issuer and domain fields. Signed-off-by: Hayden Blauzvern <[email protected]>
This implements the second part of sigstore#398, adding support for OIDC subjects that are simply usernames. A configured domain will be appended to the username and included as a SAN email address. Like sigstore#455, token issuers must partially match the configured domain. The top level and second level domain must match, and it's expected that we validate ownership for what's configured in the issuer and domain fields. Signed-off-by: Hayden Blauzvern <[email protected]>
This implements the second part of sigstore#398, adding support for OIDC subjects that are simply usernames. A configured domain will be appended to the username and included as a SAN email address. Like sigstore#455, token issuers must partially match the configured domain. The top level and second level domain must match, and it's expected that we validate ownership for what's configured in the issuer and domain fields. Signed-off-by: Hayden Blauzvern <[email protected]>
* Add Username scoped to domain OIDC type This implements the second part of #398, adding support for OIDC subjects that are simply usernames. A configured domain will be appended to the username and included as a SAN email address. Like #455, token issuers must partially match the configured domain. The top level and second level domain must match, and it's expected that we validate ownership for what's configured in the issuer and domain fields. Signed-off-by: Hayden Blauzvern <[email protected]> * Refactor API tests This refactor adds tests for all supported OIDC types, and makes it simpler to add new tests for new OIDC types. * Add tests for K8s and GitHub OIDC types. * Add additional verification for issued certificate values * Add dedicated test for RootCert success, don't call RootCert in every test. * Move common expectations to function. This provides a single place to check response values. * Move common set up to dedicated functions. * Lowercase all error messages, because style. Signed-off-by: Hayden Blauzvern <[email protected]>
Background
As discussed in rubygems/rfcs#37, there is a desire to specify other values in OIDC tokens besides emails, SPIFFE IDs, or Github OIDC subjects. RubyGems is proposing using the profile URI as the subject of the OIDC token. As other IDPs integrate with Fulcio, subjects could also simply be usernames without any domain.
Integration with IDPs can be done with Dex or directly through Fulcio's list of OIDC issuers. For this issue, I will focus on the latter. There are benefits to integrating directly with Fulcio, primarily automation.
I propose that we add support for two types of domain-scoped subjects:
Details
We will add new Types for each of these flows.
Type:
uri
OIDC tokens must have a subject with the following structure:
domain/user-identifier
For example, consider RubyGems profiles. For
https://rubygems.org/profiles/username
, the domain ishttps://rubygems.org
and the user identifier isprofiles/username
. We will require that the issuer URL host (where the openid configuration is hosted) matches the domain specified in the token. It is up to the client to interpret the user identifier.Issued certificates will include the subject as a URI subject alternative name,
URI:domain/user-identifer
.Example configuration, assuming RubyGems sets up the IDP at
/auth
:Type:
user-with-domain
(name WIP)OIDC tokens must have a subject without a domain, for example a username or a user ID. As part of configuring the OIDC issuer, a domain will be specified. Like with
uri
, we will require that the issuer URL host matches the domain specified in the configuration.Issued certificates will include the subject as an email subject alternative name. Fuclio will concatenate the subject and domain specified in the config,
EMAIL:username@domain
.Example configuration:
Domain verification
Requiring that the issuer URL matches the domain specified in the token or configuration will mitigate the risk of a misconfigured IDP issuing tokens scoped to other domains. For example, if another trusted IDP attempted to issue a token with a subject of
https://rubygems.org/profiles/user
, on verification, Fulcio will only use the configuration namedhttps://rubygems.org
.For a future improvement, we can use a domain verification system like ACME to verify that a requester who wants to add an OIDC IDP to Fulcio has control over that domain.
The text was updated successfully, but these errors were encountered: