Open enj opened 11 months ago
Thanks for your patience @enj
I feel this is a pretty reasonable request, and I don't see any issue from maintenance or security perspective in supporting it
@azdagron @amartinezfayo do you see any technical challenges? Particularly around how it might (or might not) integrate with the credential composer flows we introduced?
I think that is reasonable. There is a potential that we would end up doing more strict validations than we did previously. This probably requires a little investigation.
I think we're good to go here.
In terms of next steps, we should probably start with gaining consensus on how the arbitrary JWT claims and X.509 extensions are provided over the Mint RPCs. This should happen in a PR opened against the next
branch of the SPIRE API SDK.
I think there is some precedence that can be found in the CredentialComposer documentation @enj linked from the plugin SDK. It might be enough to duplicate those messages/types for incorporation into the SVID API and slot them into the Mint RPCs where appropriate.
Once the change has been merged to the next branch of the API SDK, we can update SPIRE's pseudo-version dependency on the API SDK and start the coding work.
The implementation can probably utilize some code from the credbuilder package to convert the fields from the request into types usable by the CA package. We'll probably have to extend the WorkloadX509SVIDParams struct to accommodate the arbitrary claims.
Happy to help guide the implementation if there are questions.
Thanks for raising your hand to work on this, @enj! Happy to answer any questions you might have either in GH or on the SPIFFE slack. If you decide you aren't in a position to help, let us know and we can add the "help wanted" label.
@azdagron I ended up going with an approach that did not use spire so I will not be able to implement this. Feel free to close the issue.
Today, one can send a MintJWTSVIDRequest to generate a one-off JWT. This combined with a custom credential composer can be used to set the
claims
on the resulting JWT. However, there is no good way to directly control the claims set via theMintJWTSVIDRequest
RPC call (one could encode the claims in theaudience
field and then decode them in the credential composer, but that seems hacky).I would like to expand the
MintJWTSVIDRequest
RPC (andMintX509SVIDRequest
if desired) to cover the existing functionality that is possible via a credential composer. ForMintJWTSVIDRequest
that would allow settingclaims
, and forMintX509SVIDRequest
that would allow settingextra_extensions
.I am happy to make the changes required for this feature, just looking for guidance on next steps.