sigstore · haydentherapper · Feb 23, 2023 · Feb 16, 2023
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -76,6 +76,9 @@ type OIDCIssuer struct {
 	// issue ID tokens for. Tokens with a different trust domain will be
 	// rejected.
 	SPIFFETrustDomain string `json:"SPIFFETrustDomain,omitempty"`
+	// Optional, the challenge claim expected for the issuer
+	// Set if using a custom issuer
+	ChallengeClaim string `json:"ChallengeClaim,omitempty"`
 }
 
 func metaRegex(issuer string) (*regexp.Regexp, error) {
@@ -167,7 +170,7 @@ func (fc *FulcioConfig) ToIssuers() []*fulciogrpc.OIDCIssuer {
 			Issuer:            &fulciogrpc.OIDCIssuer_IssuerUrl{IssuerUrl: cfgIss.IssuerURL},
 			Audience:          cfgIss.ClientID,
 			SpiffeTrustDomain: cfgIss.SPIFFETrustDomain,
-			ChallengeClaim:    issuerToChallengeClaim(cfgIss.Type),
+			ChallengeClaim:    issuerToChallengeClaim(cfgIss.Type, cfgIss.ChallengeClaim),
 		}
 		issuers = append(issuers, issuer)
 	}
@@ -177,7 +180,7 @@ func (fc *FulcioConfig) ToIssuers() []*fulciogrpc.OIDCIssuer {
 			Issuer:            &fulciogrpc.OIDCIssuer_WildcardIssuerUrl{WildcardIssuerUrl: metaIss},
 			Audience:          cfgIss.ClientID,
 			SpiffeTrustDomain: cfgIss.SPIFFETrustDomain,
-			ChallengeClaim:    issuerToChallengeClaim(cfgIss.Type),
+			ChallengeClaim:    issuerToChallengeClaim(cfgIss.Type, cfgIss.ChallengeClaim),
 		}
 		issuers = append(issuers, issuer)
 	}
@@ -303,7 +306,7 @@ func validateConfig(conf *FulcioConfig) error {
 			}
 		}
 
-		if issuerToChallengeClaim(issuer.Type) == "" {
+		if issuerToChallengeClaim(issuer.Type, issuer.ChallengeClaim) == "" {
 			return errors.New("issuer missing challenge claim")
 		}
 	}
@@ -315,7 +318,7 @@ func validateConfig(conf *FulcioConfig) error {
 			return errors.New("SPIFFE meta issuers not supported")
 		}
 
-		if issuerToChallengeClaim(metaIssuer.Type) == "" {
+		if issuerToChallengeClaim(metaIssuer.Type, metaIssuer.ChallengeClaim) == "" {
 			return errors.New("issuer missing challenge claim")
 		}
 	}
@@ -458,7 +461,10 @@ func validateAllowedDomain(subjectHostname, issuerHostname string) error {
 	return fmt.Errorf("hostname top-level and second-level domains do not match: %s, %s", subjectHostname, issuerHostname)
 }
 
-func issuerToChallengeClaim(issType IssuerType) string {
+func issuerToChallengeClaim(issType IssuerType, challengeClaim string) string {
+	if challengeClaim != "" {
+		return challengeClaim
+	}
 	switch issType {
 	case IssuerTypeBuildkiteJob:
 		return "sub"

diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
@@ -30,7 +30,8 @@ var validCfg = `
 		"https://accounts.google.com": {
 			"IssuerURL": "https://accounts.google.com",
 			"ClientID": "foo",
-			"Type": "email"
+			"Type": "email",
+			"ChallengeClaim": "email"
 		}
 	},
 	"MetaIssuers": {
@@ -470,31 +471,35 @@ func Test_validateAllowedDomain(t *testing.T) {
 }
 
 func Test_issuerToChallengeClaim(t *testing.T) {
-	if claim := issuerToChallengeClaim(IssuerTypeEmail); claim != "email" {
+	if claim := issuerToChallengeClaim(IssuerTypeEmail, ""); claim != "email" {
 		t.Fatalf("expected email subject claim for email issuer, got %s", claim)
 	}
-	if claim := issuerToChallengeClaim(IssuerTypeSpiffe); claim != "sub" {
+	if claim := issuerToChallengeClaim(IssuerTypeSpiffe, ""); claim != "sub" {
 		t.Fatalf("expected sub subject claim for SPIFFE issuer, got %s", claim)
 	}
-	if claim := issuerToChallengeClaim(IssuerTypeUsername); claim != "sub" {
+	if claim := issuerToChallengeClaim(IssuerTypeUsername, ""); claim != "sub" {
 		t.Fatalf("expected sub subject claim for username issuer, got %s", claim)
 	}
-	if claim := issuerToChallengeClaim(IssuerTypeURI); claim != "sub" {
+	if claim := issuerToChallengeClaim(IssuerTypeURI, ""); claim != "sub" {
 		t.Fatalf("expected sub subject claim for URI issuer, got %s", claim)
 	}
-	if claim := issuerToChallengeClaim(IssuerTypeBuildkiteJob); claim != "sub" {
+	if claim := issuerToChallengeClaim(IssuerTypeBuildkiteJob, ""); claim != "sub" {
 		t.Fatalf("expected sub subject claim for Buildkite issuer, got %s", claim)
 	}
-	if claim := issuerToChallengeClaim(IssuerTypeGithubWorkflow); claim != "sub" {
+	if claim := issuerToChallengeClaim(IssuerTypeGithubWorkflow, ""); claim != "sub" {
 		t.Fatalf("expected sub subject claim for GitHub issuer, got %s", claim)
 	}
-	if claim := issuerToChallengeClaim(IssuerTypeKubernetes); claim != "sub" {
+	if claim := issuerToChallengeClaim(IssuerTypeKubernetes, ""); claim != "sub" {
 		t.Fatalf("expected sub subject claim for K8S issuer, got %s", claim)
 	}
-	// unexpected issuer has empty claim
-	if claim := issuerToChallengeClaim("invalid"); claim != "" {
+	// unexpected issuer has empty claim and no claim was provided
+	if claim := issuerToChallengeClaim("invalid", ""); claim != "" {
 		t.Fatalf("expected no claim for invalid issuer, got %s", claim)
 	}
+	// custom issuer provides a claim
+	if claim := issuerToChallengeClaim("custom", "email"); claim != "email" {
+		t.Fatalf("expected email subject claim for custom issuer, got %s", claim)
+	}
 }
 
 func TestToIssuers(t *testing.T) {