Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issuer claim in Workload ID Tokens #14

Open
arndt-s opened this issue Jun 13, 2024 · 4 comments
Open

Issuer claim in Workload ID Tokens #14

arndt-s opened this issue Jun 13, 2024 · 4 comments

Comments

@arndt-s
Copy link
Collaborator

arndt-s commented Jun 13, 2024

Do Workload ID tokens require an iss claim or is the issuer implicit as part of the WIMSE URI in the sub claim?
Also, does the iss claim add any additional value in scope of this draft aka "Does this draft work without iss claim?"

@PieterKas
Copy link

@arndt-s is this addressed in section 4.1 where an iss claim is defined?

@arndt-s
Copy link
Collaborator Author

arndt-s commented Jul 15, 2024

Section 4.1 came after this issue but I believe the question is still valid.

SPIFFE does not need the issuer as it uses the authority part of the SPIFFE URI as an implicit issuer. However, this makes SPIFFE JWT-SVIDs not compatible with this draft as they do not contain an "iss" claim according to the specification.

Maybe something to check with SPIFFE community though, maybe they'll accept adding it if this would be the only delta.

@yaronf
Copy link
Collaborator

yaronf commented Jul 15, 2024

@arndt-s The big change from SPIFFE is the cnf construct (the confirmed key), not iss.

@arndt-s
Copy link
Collaborator Author

arndt-s commented Jul 15, 2024

@yaronf yes and no in my opinion.
Of course, cnf claim is new too, but I believe the complexity in adding the iss claim is higher. Existing deployments out there add this claim on their own with custom logic, custom values to achieve federation. Adding this claim as required and being opinionated by it will probably break a lot of them and will make migration hard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants