Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Workload ID: SPIFFE JWT OIDC IDToken Compatability #46279

Closed
strideynet opened this issue Sep 5, 2024 · 1 comment · Fixed by #47079
Closed

Workload ID: SPIFFE JWT OIDC IDToken Compatability #46279

strideynet opened this issue Sep 5, 2024 · 1 comment · Fixed by #47079
Assignees
@strideynet
Labels
feature-request Used for new features in Teleport, improvements to current should be #enhancements machine-id

Comments

@strideynet
Copy link
Contributor

As of #38930, Teleport Workload ID will support issuing JWT SVIDs.

We can make these more useful by also adding compliance with the OIDC Discovery specification.

This will involve:

  • Adding an iss to the token claims
  • Hosting an OpenID configuration document at the well-known location based on that iss
  • Publishing the SPIFFE CA JWT public keys as part of a JWKS format document.

Decisions:

  • Should we reuse the "iss" value strategy we use for the AWS OIDC integration, and hence extend the existing JWKS document to also include the SPIFFE CA JWT public keys? Or should we have a distinct issuer e.g spiffe.example.teleport.sh or example.teleport.sh/spiffe ?
  • Should we expect to have problems where the proxies have multiple domain names and there isn't a clear issuer to select.
@strideynet strideynet added feature-request Used for new features in Teleport, improvements to current should be #enhancements machine-id labels Sep 5, 2024
@strideynet strideynet mentioned this issue Sep 5, 2024
Closed
@strideynet
Copy link
Contributor Author

https://openid.net/specs/openid-connect-discovery-1_0.html

The issuer value returned MUST be identical to the Issuer URL that was used as the prefix to /.well-known/openid-configuration to retrieve the configuration information. This MUST also be identical to the iss Claim value in ID Tokens issued from this Issuer.

@strideynet strideynet self-assigned this Oct 1, 2024
This was referenced Oct 2, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@strideynet strideynet

Labels
feature-request Used for new features in Teleport, improvements to current should be #enhancements machine-id
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Workload Identity: JWT SVID OIDC compatability gravitational/teleport
1 participant
@strideynet