search

spiffe / spiffe-helper

The SPIFFE Helper is a tool that can be used to retrieve and manage SVIDs on behalf of a workload
Apache License 2.0
43 stars 40 forks source link

add support for jwt-svid #43

Closed raffaelespazzoli closed 9 months ago

faisal-memon commented 1 year ago

Whats the use case for this?

kfox1111 commented 1 year ago

A lot of web services that accept oidc for auth could benefit from this I think? Say, using spiffe-helper along with curl and minio to fetch some files.

raffaelespazzoli commented 1 year ago

In my case it is to be able to use sigstore with keyless signing from a tekton pipeline. In order to to keyless signing one must be able to integrate sigstore-fulcio with an OIDC provider. When signing from a workload, this could be done with a jwt-svid. Using a tekton task with the spiffe-helper as a sidecar to retrieve the svid-jwt document would streamline the process. this project showcases and example of such integration, they don't use the spiffe-helper

MarcosDY commented 1 year ago

what worry me here is how to persist it.... do you think that persisting them in a single file on json format will work? and with a separated config to setup the folder where it is persisted (and only persist it fi that config is set.

drewwells commented 1 year ago

Multiple files is better. The client doesn't want to parse these formats, just mount a string useful as authentication header.

Our use case is watching a mounted volume in a pod. When the file changes, we'll update our local copy of jwt when preparing remote requests.

On server side, we need bundle to verify jwt signature. JWKS should be a separate file to make loading that easier. Think of how users will consume these files.

client: http.Header.Add('Authorization: "Bearer {svid.json}"') server: jwtsvid.ParseAndVerify(..., "/path/to/bundle.jwks")

3 files jwt.txt

eyJhbGciOiJFUzI1NiIsImtpZCI6Ijg3R0wza3dF...

bundle.txt

ewogICAgImtleXMiOiBbCiAgICAg...

svid.json

[
  {
    "svids": [
      {
        "hint": "",
        "spiffe_id": "spiffe://infoblox.com/testservice",
        "svid": "eyJhbGciOiJFUzI1NiIsI..."
      }
    ]
  },
  {
    "bundles": {
      "spiffe://infoblox.com": "ewogICAgImtleXMiOiBbCiAgICAgIC..."
    }
  }
]
keeganwitt commented 11 months ago

Came across this issue while looking for an easy way to get a JWT in my workload to support the OIDC AWS use case.

faisal-memon commented 11 months ago

@keeganwitt Will review the associated PR and get it merged soon.

keeganwitt commented 9 months ago

Note: created #112 related to this change.