Extension point for claims - Githubissues

jenkinsci / oidc-provider-plugin

OpenID Connect Provider Plugin for Jenkins

https://plugins.jenkins.io/oidc-provider/

MIT License

22 stars 13 forks source link

Extension point for claims #6

Open jglick opened 2 years ago

jglick commented 2 years ago

May be desirable to allow this or other plugins to inject additional claims into the token when sensible and available, e.g.:

the user triggering the build
the organization, repository, and head name (branch/tag/PR-xxx) of a branch project

LucaPrete commented 2 years ago

Hi @jglick

Sorry I haven't seen this. I opened also an issue here and I'm starting working on a PR. Please, let me know if you have any additional suggestions.

madsjakobsen commented 2 years ago

Hi, I tried to do a implementation of this while testing out a GCP deployment https://github.com/MadsJakobsen/oidc-provider-plugin/commit/07986abdc2d4ab60f22340de1b688805ced88780 I also saw jwt-support-plugin had a similar concept https://github.com/jenkinsci/jwt-support-plugin/blob/79da649f05c3ab02866e94a5dd8721695cdb45ba/src/main/java/io/jenkins/plugin/auth/jwt/JwtTokenDecorator.java#L11

I don't think i'am proficient enough in OpenID to create a proper PR, but I would certainly find the feature useful, so if there is anything I can do to help, like testing, then please let me know 🙏

jglick commented 2 years ago

https://github.com/jenkinsci/oidc-provider-plugin/compare/master...MadsJakobsen:oidc-provider-plugin:feature/add-extension-point-for-claims is the right idea, yes. (Would have a bunch of minor suggestions if that were a PR.) Would provide a cleaner way of implementing the likes of #16.

jglick commented 2 years ago

a implementation of this while testing out a GCP deployment

Sounds like you might use this plugin in anger. Do you feel like becoming a maintainer? I do not really have the time to give it the attention it deserves, and I lack a feel for how it will be used in realistic contexts.

LeoQuote commented 9 months ago

It would be nice to create claims using groovy, like in this issue https://github.com/jenkinsci/oidc-provider-plugin/issues/22 the GitHub repo could be got by

GITHUB_SLUG = env.JOB_NAME.split("/")[0..1].join("/")

And maybe more, GitHub org, repo, with those claims, many things could be possible, like setting a bunch of shared secrets in vault for an organization, or a specific secret for a single repo.

But right now, with the simple JOB_NAME, nothing can be achieved.