Add email to JWT claims

[ChevronTango]

Is your feature request related to a problem?

I would like to use the tokens generated from gp idp token with gitsign and fulcio but they are missing certain claims for that to work.

{
  "iss": "https://api.gitpod.io/idp",
  "aud": [
    "sigstore"
  ],
  "azp": "sigstore",
  "c_hash": "",
  "exp": 1683410309,
  "iat": 1683406709,
  "auth_time": 1683406709,
  "sub": "https://gitlab.com/ChevronTango/gpg-test/-/tree/main/",
  "name": "ChevronTango"
}

Describe the behaviour you'd like

Please include a additional email and email_verified claims in the JWT token.

https://github.com/sigstore/fulcio/blob/main/docs/oidc.md#email-1

Describe alternatives you've considered

Additional context

Support for fulcio allows me to progress my investigation as part of #666

[loujaybee]

Thanks for raising 🙏 We are actively looking into our OIDC support, and will take a look further into this @ChevronTango ! Hopefully we can move the current token implementation to a more visible beta status soon, and then we can look at modifying and adding additional claims as you suggested!

[ChevronTango]

Thanks for raising 🙏 We are actively looking into our OIDC support, and will take a look further into this @ChevronTango ! Hopefully we can move the current token implementation to a more visible beta status soon, and then we can look at modifying and adding additional claims as you suggested!

Thanks @loujaybee. This is very exciting and I'm keen to help get it out ASAP. It unlocks a lot of potential for Gitpod, so if there's anything we can do to help do let us know.

[loujaybee]

Thanks for the quick turnaround, on the pull request @csweichel !

Question: Do we not also need to proxy through the email_verified property of the user info from the IDP? I believe that claim is also required for the Fulcio integration? (see docs), though I can also try when this is released/deployed.

[ChevronTango]

Thanks for the quick turnaround, on the pull request @csweichel !

Question: Do we not also need to proxy through the email_verified property of the user info from the IDP? I believe that claim is also required for the Fulcio integration? (see docs), though I can also try when this is released/deployed.

email_verified is indeed required and I'm tempted to say this issue isn't complete yet without it, though I am immensly grateful for the very rapid turn around! Thanks a lot guys. Any chance we can add that extra field in before we close this?

[filiptronicek]

I think there might be hope still with this deployment 😄! Although I'm not familiar with the OIDC go package we are using, I poked around the documentation and it seems that email_verified might be a field that automatically gets added with the second argument of the setter function.

https://github.com/zitadel/oidc/blob/cdf2af6c2c3b10b3c066ae28ff43e7acd5a6e0b4/pkg/oidc/userinfo.go#L56-L64

type UserInfoSetter interface {
	UserInfo
	SetSubject(sub string)
	UserInfoProfileSetter
	SetEmail(email string, verified bool)
	SetPhone(phone string, verified bool)
	SetAddress(address UserInfoAddress)
	AppendClaims(key string, values interface{})
}

[filiptronicek]

@ChevronTango should be good. Have a nice weekend :)! I think this will deploy on Monday, but running from sources it works.

[ChevronTango]

You are a star @filiptronicek, much appreciated... now we just need to get everything else working!

[csweichel]

email_verified

email_verified was a last minute addition to the original PR :)