21
Customizable audience claim in OIDC tokens
Nathan Smith
A key security aspect of OIDC tokens is that an issuer provide them with audience fields specific to the third-party they will be used to autheniticate with.
For example: A token issued to authenticate to AWS should have an audience set to
sts.amazonaws.com
for example. This ensure that tokens issued to authenticate with one party and not abused to authenticate against a different one should the token be leaked accidentally.
It would be awesome if the OIDC tokens now injected into builds in the CIRCLE_OIDC_TOKEN environment variable could have specific audiences set instead of the current Org UUID which provide no additional meaningful information to create policy information against (indeed it is already encoded in the subject).
Activity
Nathan Smith
If this audience claim was customizable, it would allow the CircleCI OIDC tokens to be used with https://sigstore.dev. Sigstore is makes it easy to sign containers and other artifacts without having to worry about key management. Folks are currently signing over 8000 artifacts a day in Github Actions from ~500 different repositories using this method