Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow for multiple OIDC providers. #96

Merged
merged 1 commit into from
May 20, 2021
Merged

Allow for multiple OIDC providers. #96

merged 1 commit into from
May 20, 2021

Conversation

dlorenc
Copy link
Member

@dlorenc dlorenc commented May 16, 2021

Signed-off-by: Dan Lorenc dlorenc@google.com

@dlorenc
Copy link
Member Author

dlorenc commented May 16, 2021

I think we might want a way to "hint" at the proper issuer via a header or query parameter here. We could pull it out of the JWT itself, but that seems more error-prone.

Going through them in a list is fine but we should probably add the hint if we want to support more than a few.

@lukehinds
Copy link
Member

What's the use case here, is it fail over type system if the first provider is unavailable (iterate over several providers?)

Allow for multiple OIDC providers.
486a444 
This is useful for validating identity tokens granted by systems other
than our dex endpoint. For GCP, a service account can manually generate
an identity token for a specific audience (sigstore).

By allowing other issues, we can validate these tokens in Fulcio.

Signed-off-by: Dan Lorenc <dlorenc@google.com>
@dlorenc
Copy link
Member Author

dlorenc commented May 17, 2021

What's the use case here, is it fail over type system if the first provider is unavailable (iterate over several providers?)

Left some more text in the description, but I think this would make eventual federation and headless modes easier.

@dlorenc dlorenc changed the title WIP: Allow for multiple OIDC providers. Allow for multiple OIDC providers. May 19, 2021
bobcallaway
bobcallaway approved these changes May 20, 2021
View reviewed changes
Copy link
Member

@bobcallaway bobcallaway left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

use case makes sense... would be nice to specify client ID separately for each issuer but for now this should be fine

@dlorenc dlorenc mentioned this pull request May 20, 2021
Closed
@dlorenc
Copy link
Member Author

dlorenc commented May 20, 2021

use case makes sense... would be nice to specify client ID separately for each issuer but for now this should be fine

Opened #100 to track that

@dlorenc dlorenc merged commit f6d04c6 into sigstore:main May 20, 2021
@dlorenc dlorenc deleted the multi branch May 20, 2021 21:36
tommyd450 added a commit to tommyd450/fulcio that referenced this pull request Apr 19, 2024
@tommyd450
Merge pull request sigstore#96 from tommyd450/triggerBuild
0a73354 
Triggering new Build
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lukehinds lukehinds lukehinds approved these changes

@bobcallaway bobcallaway bobcallaway approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dlorenc @lukehinds @bobcallaway