Open jglick opened 2 years ago
Hi @jglick
Sorry I haven't seen this. I opened also an issue here and I'm starting working on a PR. Please, let me know if you have any additional suggestions.
Hi, I tried to do a implementation of this while testing out a GCP deployment https://github.com/MadsJakobsen/oidc-provider-plugin/commit/07986abdc2d4ab60f22340de1b688805ced88780 I also saw jwt-support-plugin had a similar concept https://github.com/jenkinsci/jwt-support-plugin/blob/79da649f05c3ab02866e94a5dd8721695cdb45ba/src/main/java/io/jenkins/plugin/auth/jwt/JwtTokenDecorator.java#L11
I don't think i'am proficient enough in OpenID to create a proper PR, but I would certainly find the feature useful, so if there is anything I can do to help, like testing, then please let me know 🙏
https://github.com/jenkinsci/oidc-provider-plugin/compare/master...MadsJakobsen:oidc-provider-plugin:feature/add-extension-point-for-claims is the right idea, yes. (Would have a bunch of minor suggestions if that were a PR.) Would provide a cleaner way of implementing the likes of #16.
a implementation of this while testing out a GCP deployment
Sounds like you might use this plugin in anger. Do you feel like becoming a maintainer? I do not really have the time to give it the attention it deserves, and I lack a feel for how it will be used in realistic contexts.
It would be nice to create claims using groovy, like in this issue https://github.com/jenkinsci/oidc-provider-plugin/issues/22 the GitHub repo could be got by
GITHUB_SLUG = env.JOB_NAME.split("/")[0..1].join("/")
And maybe more, GitHub org, repo, with those claims, many things could be possible, like setting a bunch of shared secrets in vault
for an organization, or a specific secret for a single repo.
But right now, with the simple JOB_NAME, nothing can be achieved.
May be desirable to allow this or other plugins to inject additional claims into the token when sensible and available, e.g.: