sigstore / sigstore-rs

An experimental Rust crate for sigstore
https://sigstore.github.io/sigstore-rs/sigstore/
Apache License 2.0
166 stars 51 forks source link

IdentityToken does not expose federated issuer #409

Open jku opened 1 week ago

jku commented 1 week ago

Description

It would be useful for applications to be able to see the OIDC issuer that was used to get the OIDC token (because in the interactive case the user selects the identity/issuer outside the application): in the sigstore case the "issuer" we are interested in is the "ultimate" issuer that is federated via the sigstore dex instance. This is useful since

  1. application may know which identity/issuer will be acceptable in this situation and will be able to cancel before user accidentally signs with incorrect identity
  2. Showing the identity/issuer in the UI may be useful to allow user to verify they are doing the right thing

This federated issuer does not seem to be available in IdentityToken currently. Exposing it is slightly more complicate than the identity itself... based on the python implementation it's in unverified_claims["federated_claims"]["connector_id"]

https://github.com/sigstore/sigstore-python/blob/main/sigstore/oidc.py#L135

jku commented 1 week ago

There's a related issue with IdentityToken: it always uses "email" as the identity of the token -- but some oidc issuers, like GitHub Actions, use "sub" as the identity and Fulcio does respect that...

This leads me to think sigstore-rs does not currently work in GitHub Actions? Have I missed something?

tnytown commented 1 week ago

This leads me to think sigstore-rs does not currently work in GitHub Actions? Have I missed something?

Yes, we should be using sub for the identity request. The current IdentityToken's email field is an inelegant bodge that I thought I had replaced with a method dispatching to the correct identity claim. Unfortunately I never tested with a GHA token and forgot all about it. Plumbing sub through should be a pretty quick change :)