updating oidc information #366
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -19,16 +19,32 @@ | |
| Email-based OIDC providers use the user's email as the subject of the certificate. | ||
|
|
||
| * Dex (`oauth2.sigstore.dev/auth`) | ||
| * GitHub (Note that this is the email of the user, not the GitHub username) | ||
|
Check failure on line 22 in content/en/certificate_authority/oidc-in-fulcio.md
|
||
|
Check failure on line 23 in content/en/certificate_authority/oidc-in-fulcio.md
|
||
| * Microsoft | ||
|
Check failure on line 24 in content/en/certificate_authority/oidc-in-fulcio.md
|
||
| * Google (`accounts.google.com`) | ||
|
|
||
| ### Source repository | ||
|
|
||
| #### GitHub | ||
|
|
||
| GitHub supports OIDC tokens for its workflows initiated from GitHub Actions. This removes the need for persisting authentication credentials. OIDC tokens include information about the workflow and source repository. | ||
|
|
||
| You must include the proper permissions in your workflow to use an OIDC token. | ||
|
|
||
| ```yaml | ||
| permissions: | ||
| id-token: write | ||
| ``` | ||
|
|
||
| When verifying a signature generated through a workflow on GitHub, you can expect the following values: | ||
|
|
||
| * **certificate-oidc-issuer**: https://token.actions.githubusercontent.com | ||
| * **certificate-identity**: https://github.com/USERNAME/REPOSITORY_NAME/.github/workflows/WORKFLOW_NAME@refs/heads/BRANCH_NAME | ||
|
|
||
| Sigstore currently offers two different GitHub Actions ([`consign-installer`](https://github.com/marketplace/actions/cosign-installer) and [`gh-action-sigstore-installer`](https://github.com/sigstore/gh-action-sigstore-python)) to help you easily integrate Sigstore into your workflows. You can learn more about them in our [CI Quickstart]({{< relref "quickstart/quickstart-ci">}}) | ||
|
|
||
| #### GitLab | ||
|
|
||
| GitLab supports OIDC tokens for its workflows initiated from GitLab CI/CD pipelines. This removes the need for persisting authentication credentials. OIDC tokens include information about the workflow and source repository. | ||
|
|
||
|
|
@@ -69,7 +85,7 @@ | |
|
|
||
| For example, `iss` could be `https://oauth2.sigstore.dev/auth` or `https://token.actions.githubusercontent.com`. | ||
|
|
||
| ``` | ||
|
Check failure on line 88 in content/en/certificate_authority/oidc-in-fulcio.md
|
||
| { | ||
| "aud": "sigstore" | ||
| "iss": "<uri>" | ||
|
|
@@ -84,7 +100,7 @@ | |
|
|
||
| In addition to the standard JWT claims, the token must include the following claims: | ||
|
|
||
| ``` | ||
|
Check failure on line 103 in content/en/certificate_authority/oidc-in-fulcio.md
|
||
| { | ||
| "email_verified": true | ||
| "email": "[email protected]" | ||
|
|
@@ -97,7 +113,7 @@ | |
|
|
||
| The token must include the following claims: | ||
|
|
||
| ``` | ||
|
Check failure on line 116 in content/en/certificate_authority/oidc-in-fulcio.md
|
||
| { | ||
| "job_workflow_ref": "octo-org/octo-automation/.github/workflows/oidc.yml@refs/heads/main" | ||
| "sha": "example-sha", | ||
|
|
@@ -143,7 +159,7 @@ | |
|
|
||
| The token must include the following claims: | ||
|
|
||
| ``` | ||
|
Check failure on line 162 in content/en/certificate_authority/oidc-in-fulcio.md
|
||
| { | ||
| "sub": "spiffe://foo.example.com" | ||
| } | ||
|
|
@@ -159,11 +175,11 @@ | |
|
|
||
| The token must include the following claims: | ||
|
|
||
| ``` | ||
|
Check failure on line 178 in content/en/certificate_authority/oidc-in-fulcio.md
|
||
| { | ||
| "kubernetes.io": { | ||
| "namespace": "default", | ||
|
Check failure on line 181 in content/en/certificate_authority/oidc-in-fulcio.md
|
||
| "pod": { | ||
|
Check failure on line 182 in content/en/certificate_authority/oidc-in-fulcio.md
|
||
| "name": "oidc-test", | ||
| "uid": "49ad3572-b3dd-43a6-8d77-5858d3660275" | ||
| }, | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.