Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add support for jwt-svid #43

Closed
raffaelespazzoli opened this issue Feb 6, 2023 · 8 comments · Fixed by #85
Closed

add support for jwt-svid #43

raffaelespazzoli opened this issue Feb 6, 2023 · 8 comments · Fixed by #85

Comments

@raffaelespazzoli
Copy link

No description provided.

@faisal-memon
Copy link
Collaborator

Whats the use case for this?

@kfox1111
Copy link
Contributor

kfox1111 commented Feb 6, 2023

A lot of web services that accept oidc for auth could benefit from this I think? Say, using spiffe-helper along with curl and minio to fetch some files.

@raffaelespazzoli
Copy link
Author

raffaelespazzoli commented Feb 6, 2023
edited
Loading

In my case it is to be able to use sigstore with keyless signing from a tekton pipeline. In order to to keyless signing one must be able to integrate sigstore-fulcio with an OIDC provider. When signing from a workload, this could be done with a jwt-svid. Using a tekton task with the spiffe-helper as a sidecar to retrieve the svid-jwt document would streamline the process.
this project showcases and example of such integration, they don't use the spiffe-helper

@MarcosDY
Copy link
Collaborator

what worry me here is how to persist it....
do you think that persisting them in a single file on json format will work?
and with a separated config to setup the folder where it is persisted (and only persist it fi that config is set.

@drewwells
Copy link

Multiple files is better. The client doesn't want to parse these formats, just mount a string useful as authentication header.

Our use case is watching a mounted volume in a pod. When the file changes, we'll update our local copy of jwt when preparing remote requests.

On server side, we need bundle to verify jwt signature. JWKS should be a separate file to make loading that easier. Think of how users will consume these files.

client: http.Header.Add('Authorization: "Bearer {svid.json}"')
server: jwtsvid.ParseAndVerify(..., "/path/to/bundle.jwks")

3 files
jwt.txt

eyJhbGciOiJFUzI1NiIsImtpZCI6Ijg3R0wza3dF...

bundle.txt

ewogICAgImtleXMiOiBbCiAgICAg...

svid.json

[
  {
    "svids": [
      {
        "hint": "",
        "spiffe_id": "spiffe://infoblox.com/testservice",
        "svid": "eyJhbGciOiJFUzI1NiIsI..."
      }
    ]
  },
  {
    "bundles": {
      "spiffe://infoblox.com": "ewogICAgImtleXMiOiBbCiAgICAgIC..."
    }
  }
]

@keeganwitt
Copy link
Contributor

Came across this issue while looking for an easy way to get a JWT in my workload to support the OIDC AWS use case.

@faisal-memon faisal-memon mentioned this issue Oct 18, 2023
Merged
@faisal-memon
Copy link
Collaborator

@keeganwitt Will review the associated PR and get it merged soon.

@keeganwitt
Copy link
Contributor

Note: created #112 related to this change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add JWT support JU4N98/spiffe-helper
6 participants
@keeganwitt @drewwells @kfox1111 @faisal-memon @MarcosDY @raffaelespazzoli