Skip to content

feat: Add custom OIDC issuers to orgs #18841

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 10, 2025
Merged

feat: Add custom OIDC issuers to orgs #18841

merged 2 commits into from
Oct 10, 2025

Conversation

@miketheman
Copy link
Member

@miketheman miketheman commented Oct 10, 2025

Allows storing a specific issuer_url associated to an org, for later lookup.

Resolves #18831

@miketheman
feat(orgs): add 1-many relationship to OIDC issuers
1a11452 
Allows storing a specific `issuer_url` associated to the org, for later
lookup.

Signed-off-by: Mike Fiedler <miketheman@gmail.com>
@miketheman
feat(admin/orgs): set/remove org-based OIDC issuers
9d74a53 
Signed-off-by: Mike Fiedler <miketheman@gmail.com>
@miketheman miketheman requested a review from a team as a code owner October 10, 2025 17:20
@miketheman miketheman added admin Features needed for the Admin UI (people running the site) organizations trusted-publishing labels Oct 10, 2025
di
di approved these changes Oct 10, 2025
View reviewed changes
Copy link
Member

@di di left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM aside from one nit/question!

warehouse/organizations/models.py
Comment on lines +193 to +197
class OIDCIssuerType(enum.StrEnum):
GitHub = "github"
GitLab = "gitlab"
Google = "google"
ActiveState = "activestate"
Copy link
Member

@di di Oct 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A nit, maybe this should live in /warehouse/oidc/ instead? Also, should we find some way to ensure this remains consistent with the polymorphic_identity used for each of the individual publisher model types?

Copy link
Member Author

@miketheman miketheman Oct 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I put it here since it's only currently used by this module, but will happily move it later if this approach works well.
I like the idea of constraining the potential values, but will defer for now, since it'll need to modify the mixin to be an enum choice, not a string, and update here:

warehouse/warehouse/oidc/models/_core.py

Lines 118 to 127 in 9cfbbf9

class OIDCPublisherMixin:
"""
A mixin for common functionality between all OIDC publishers, including
"pending" publishers that don't correspond to an extant project yet.
"""
# Each hierarchy of OIDC publishers (both `OIDCPublisher` and
# `PendingOIDCPublisher`) use a `discriminator` column for model
# polymorphism, but the two are not mutually polymorphic at the DB level.
discriminator: Mapped[str | None] = mapped_column(String)

@miketheman miketheman merged commit 37ec614 into pypi:main Oct 10, 2025
24 of 25 checks passed
@miketheman miketheman deleted the miketheman/18831-store-org-publisher-issuers branch October 10, 2025 19:28
@miketheman miketheman mentioned this pull request Oct 17, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@di di di approved these changes

Assignees

No one assigned

Labels

admin Features needed for the Admin UI (people running the site) organizations trusted-publishing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Register a custom OIDC Issuer URL for an Organization via PyPI Admin

2 participants

@miketheman @di