Customizable subject claim in OIDC tokens | Feature Requests

Customizable subject claim in OIDC tokens

Kelvin Tay

Right now, the sub
 claims for OIDC is set to org/ORGANIZATION_ID/project/PROJECT_ID/user/USER_ID
.
For customers who would like to set up OIDC with Azure, Azure has a strict restriction on checking the sub
 claims.
In particular, Azure does not allow for wildcard char matching.
https://learn.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation-create-trust-user-assigned-managed-identity?pivots=identity-wif-mi-methods-azp
This means customers would need to add a list of all possible users on Azure, as a workaround.
It would be great if we can allow for customization of what the sub
 claim's value can be.

October 5, 2022

Kelvin Tay

this is similar to https://ideas.circleci.com/cloud-feature-requests/p/customizable-audience-claim-in-oidc-tokens but this idea would be for the

sub

claim, not the

aud

claim.