add support for jwt-svid
raffaelespazzoli opened this issue · 8 comments
Whats the use case for this?
A lot of web services that accept oidc for auth could benefit from this I think? Say, using spiffe-helper along with curl and minio to fetch some files.
In my case it is to be able to use sigstore with keyless signing from a tekton pipeline. In order to to keyless signing one must be able to integrate sigstore-fulcio with an OIDC provider. When signing from a workload, this could be done with a jwt-svid. Using a tekton task with the spiffe-helper as a sidecar to retrieve the svid-jwt document would streamline the process.
this project showcases and example of such integration, they don't use the spiffe-helper
what worry me here is how to persist it....
do you think that persisting them in a single file on json format will work?
and with a separated config to setup the folder where it is persisted (and only persist it fi that config is set.
Multiple files is better. The client doesn't want to parse these formats, just mount a string useful as authentication header.
Our use case is watching a mounted volume in a pod. When the file changes, we'll update our local copy of jwt when preparing remote requests.
On server side, we need bundle to verify jwt signature. JWKS should be a separate file to make loading that easier. Think of how users will consume these files.
client: http.Header.Add('Authorization: "Bearer {svid.json}"')
server: jwtsvid.ParseAndVerify(..., "/path/to/bundle.jwks")
3 files
jwt.txt
eyJhbGciOiJFUzI1NiIsImtpZCI6Ijg3R0wza3dF...
bundle.txt
ewogICAgImtleXMiOiBbCiAgICAg...
svid.json
[
{
"svids": [
{
"hint": "",
"spiffe_id": "spiffe://infoblox.com/testservice",
"svid": "eyJhbGciOiJFUzI1NiIsI..."
}
]
},
{
"bundles": {
"spiffe://infoblox.com": "ewogICAgImtleXMiOiBbCiAgICAgIC..."
}
}
]