Skip to content

Support configurable OIDC issuers #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
May 5, 2022
Merged

Support configurable OIDC issuers #62

merged 10 commits into from
May 5, 2022

Conversation

tetsuo-cpp
Copy link
Contributor

Signed-off-by: Alex Cameron [email protected]

Summary

This PR adds support for configurable OIDC issuers. An oidc-issuer flag has been added for this purpose. sigstore will query the issuer's .well-known/openid-configuration to find its endpoints and then use them to retrieve an OIDC token. The following flags have also been exposed since they need to be customised on a per issuer basis:

  • oidc-client-id
  • oidc-client-secret

@tetsuo-cpp
Copy link
Contributor Author

This works fine for the default issuer. I'm still looking for another issuer that I can use to test this without making some kind of billing account.

@tetsuo-cpp
Update README help text
b03a5a8 
Signed-off-by: Alex Cameron <[email protected]>
woodruffw
woodruffw reviewed Apr 30, 2022
View reviewed changes
woodruffw
woodruffw reviewed Apr 30, 2022
View reviewed changes
@woodruffw
cli: use more descriptive metavars
50ed063 
Signed-off-by: William Woodruff <[email protected]>
woodruffw
woodruffw reviewed Apr 30, 2022
View reviewed changes
@woodruffw
Copy link
Member

woodruffw commented Apr 30, 2022
edited
Loading

N.B.: I think sign will currently fail for issuers that aren't included in OIDC_ISSUERS, since we do this check:

        if iss not in OIDC_ISSUERS:
            raise IdentityError(f"Not a valid OIDC issuer: {iss!r}")

But perhaps that's intended behavior?

@tetsuo-cpp
Copy link
Contributor Author

N.B.: I think sign will currently fail for issuers that aren't included in OIDC_ISSUERS, since we do this check:

        if iss not in OIDC_ISSUERS:
            raise IdentityError(f"Not a valid OIDC issuer: {iss!r}")

But perhaps that's intended behavior?

Hmm, good point. I'll have a look and see how cosign handles this.

@tetsuo-cpp tetsuo-cpp self-assigned this May 2, 2022
@di
Copy link
Member

di commented May 3, 2022

As far as I can tell cosign doesn't handle it. I don't think it makes sense for us to maintain a separate list of the issuers that Fulcio supports, we should just let the user try to submit the certificate request and handle it if Fulcio fails.

@tetsuo-cpp
Copy link
Contributor Author

tetsuo-cpp commented May 3, 2022
edited
Loading

As far as I can tell cosign doesn't handle it. I don't think it makes sense for us to maintain a separate list of the issuers that Fulcio supports, we should just let the user try to submit the certificate request and handle it if Fulcio fails.

Do you mean that it should just assume that the challenge is the email signed? It's not going to work for Github Actions though. Maybe it should just default to using email for unrecognized issuers.

@woodruffw woodruffw force-pushed the alex/oidc-issuers branch from 2ab684f to 365a948 Compare May 3, 2022 16:19
@woodruffw woodruffw mentioned this pull request May 3, 2022
Closed
@woodruffw woodruffw assigned woodruffw and unassigned tetsuo-cpp May 3, 2022
@woodruffw
cli, sign, oidc: clarifying comments, relax issuer
e812ec3 
Use the `sub` claim for the proof of possession if we don't recognize
the issuer's URL.

Signed-off-by: William Woodruff <[email protected]>
@woodruffw
Copy link
Member

Do you mean that it should just assume that the challenge is the email signed? It's not going to work for Github Actions though. Maybe it should just default to using email for unrecognized issuers.

Based on my reading of https://github.com/sigstore/fulcio/blob/f6016fda1ec6f1bd550699c7b8f53c2057ada174/pkg/challenges/challenges.go#L437-L478, I think we should default to sub for most unrecognized issuers. That'll cause the proof of possession to fail if it's the wrong claim, but all of this should be obviated once we're using X.509 CSRs.

That's what I've done in e812ec3.

@woodruffw woodruffw requested a review from di May 4, 2022 15:30
tetsuo-cpp
tetsuo-cpp commented May 5, 2022
View reviewed changes
Copy link
Contributor Author

@tetsuo-cpp tetsuo-cpp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice. This is looking good.

I can't approve this since I opened this PR. If one of you could approve, I think this is good to go.

@woodruffw woodruffw merged commit 6117638 into main May 5, 2022
@woodruffw woodruffw deleted the alex/oidc-issuers branch May 5, 2022 13:29
javanlacerda pushed a commit to javanlacerda/sigstore-python that referenced this pull request Feb 23, 2024
@woodruffw
action: restrict label check to third-party PRs (sigstore#62)
372530b 
Signed-off-by: William Woodruff <[email protected]>

Signed-off-by: William Woodruff <[email protected]>
javanlacerda pushed a commit to javanlacerda/sigstore-python that referenced this pull request Feb 23, 2024
@woodruffw
Revert "action: restrict label check to third-party PRs (sigstore#62)"
b76987f 
This reverts commit 372530b.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@woodruffw woodruffw woodruffw approved these changes

@di di Awaiting requested review from di

Assignees

@woodruffw woodruffw

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tetsuo-cpp @woodruffw @di