Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

Customizable Audience Claim in OIDC Pipeline JWTs

Simon Schmid
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
July 10, 2023

We'd like to use CoSign to sign our docker image builds. CoSign supports Keyless Signing with Fulcio through OIDC identities (Documentation). However it is required that the `aud` claim is set to "sigstore". Currently it's not possible to configure any of the claims in the JWT which is a blocker. 

GitLab and GitHub already support configurable audience claims in their tokens, see:

https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#id-tokens

https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token

 

I hope Bitbucket will put configurable JWT claims on their roadmap.

1 answer

0 votes
Cameron Whiting
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
October 30, 2024

Agreed. In the age of DevSecOps, Bitbucket lacking this makes me want to help my company choose another provider that has modern security options.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events