Token fixes #412
Open
Token fixes #412
Commits on Oct 23, 2024
-
oauth: Add simple test for an interactive token
Signed-off-by: Jussi Kukkonen <[email protected]>
-
oauth: Fix the token identity handling
* Make email optional when parsing JWT (e.g. GitHub actions does not use it) * Add IdentityToken.identity field: this is the identity claim that we believe Fulcio uses for this issuer * Fix the bundle signing so it uses the new identity field * Add test with a GitHub Actions token Note that signing with a Sub claim is still not supported but we're now a bit closer. Signed-off-by: Jussi Kukkonen <[email protected]>
-
bundle: Just use email OID regardless of actual value
Apparently Fulcio does not care about the CSR subject: just claim everything is an email. https://github.com/sigstore/fulcio/blob/main/fulcio.proto#L106 Signed-off-by: Jussi Kukkonen <[email protected]>
Commits on Oct 24, 2024
-
oauth: Make it clear that identity claim is untrusted
We don't judge the claims that OIDC provider makes (apart from some compatibility checks): make this clear in the API and docs. Signed-off-by: Jussi Kukkonen <[email protected]>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.