Skip to content

Commit

Permalink
Fill in required claims for GitLab OIDC provider
Browse files Browse the repository at this point in the history
Signed-off-by: Alishan Ladhani <[email protected]>
  • Loading branch information
aladh committed Aug 28, 2023
1 parent dc57e13 commit cce4d23
Showing 1 changed file with 20 additions and 3 deletions.
23 changes: 20 additions & 3 deletions content/en/certificate_authority/oidc-in-fulcio.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ GitHub supports OIDC tokens for its workflows initiated from GitHub Actions. Thi

* GitHub Actions (`token.actions.githubusercontent.com`)

GitLab supports OIDC tokens for its workflows initiated from GitLab CI/CD pipelines This removes the need for persisting authentication credentials. OIDC tokens include information about the workflow and source repository.
GitLab supports OIDC tokens for its workflows initiated from GitLab CI/CD pipelines. This removes the need for persisting authentication credentials. OIDC tokens include information about the workflow and source repository.

In GitLab, you can generate the necessary tokens by simply adding the following to your CI/CD job:

Expand Down Expand Up @@ -117,12 +117,29 @@ All other required claims are extracted and included in custom OID fields, as do
The token must include the following claims:
```
```json
{
// TODO: ADD LIST OF CLAIMS
"namespace_id": "72",
"namespace_path": "my-group",
"project_id": "20",
"project_path": "my-group/my-project",
"pipeline_id": "574",
"pipeline_source": "push",
"job_id": "302",
"ref": "main",
"ref_type": "branch",
"runner_id": 1,
"runner_environment": "gitlab-hosted",
"sha": "714a629c0b401fdce83e847fc9589983fc6f46bc",
"project_visibility": "public",
"ci_config_ref_uri": "gitlab.com/my-group/my-project//.gitlab-ci.yml@refs/heads/main"
}
```

`ci_config_ref_uri` is included as a SAN URI: `https://{ci_config_ref_uri}`

All other required claims are extracted and included in custom OID fields, as documented in [OID Information](https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md#mapping-oidc-token-claims-to-fulcio-oids).

### SPIFFE

The token must include the following claims:
Expand Down

0 comments on commit cce4d23

Please sign in to comment.