You signed in with another tab or window.Reload to refresh your session.You signed out in another tab or window.Reload to refresh your session.You switched accounts on another tab or window.Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: _docs/integrations/oidc-pipelines.md
+32-3Lines changed: 32 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -48,7 +48,7 @@ Codefresh supports a subset of standard claims which are listed below. Generally
48
48
49
49
50
50
***audience (`aud`) claim**
51
-
The`aud` claim is the Client ID, which is the URL of the Codefresh platform instance.
51
+
The`aud` claim is the Client ID, which isby defaultthe URL of the Codefresh platform instance. It can also be a custom audience claim, or a list of comma-separated custom audience claims.
52
52
***subject (`sub`) claim**
53
53
The`sub` claim is a string value concatenated from the different claims representing the precise authentication and authorization required for access.
54
54
***issuer (`iss`) claim**
@@ -173,6 +173,7 @@ You can move on to the Codefresh platform to obtain and use the OIDC ID token in
173
173
174
174
Obtain the ID token from the Codefresh OIDC provider to authenticate and authorize pipeline actions. Codefresh makes this simple by offering a dedicated Marketplace step, the`obtain-oidc-id-token` step, which you can seamlessly add to your pipeline, without the need for additional configuration or parameters on your part.
175
175
176
+
You can also use this step with custom`aud` claims to override the default configured.
176
177
177
178
178
179
{% include
@@ -194,7 +195,7 @@ The step:
194
195
1. Makes an API call to the Codefresh OIDC provider passing the`CF_OIDC_REQUEST_TOKEN` and the`CF_OIDC_REQUEST_URL` variables.
195
196
196
197
>**NOTE**:
197
-
Codefresh injects these two variablesfor every pipeline build, ensuring their availability for use, regardless of the cloud provider's authentication mechanism, whether it's OIDC ID tokens or static credentials.
198
+
Codefresh injects these two variablesinto every pipeline build, ensuring their availability for use, regardless of the cloud provider's authentication mechanism, whether it's OIDC ID tokens or static credentials.
198
199
199
200
200
201
Example:
@@ -203,14 +204,42 @@ The step:
203
204
*`CF_OIDC_REQUEST_TOKEN` is an access token used to request the OIDC ID token for the OIDC provider.
204
205
*`CF_OIDC_REQUEST_URL` is the URL from which to request the ID token.
205
206
206
-
You can also insert the`curl` command as an API call in a freestyle step to get the same result.
207
+
You can also insert the`curl` command as an API call in a`freestyle` step to get the same result.
207
208
208
209
{:start="2"}
209
210
1. Sets the ID token in the`ID_TOKEN` environment variable.
210
211
You can use this environment variable in subsequent steps within the same pipeline.
211
212
212
213
<br>
213
214
215
+
**Custom`aud` claims with the`obtain-oidc-id-token` step**
216
+
217
+
Instead of configuring the URL of the Codefresh platform URL as the`aud` claim, you can pass single or multiple strings as custom audiences in the`obtain-oidc-id-token` step.
218
+
219
+
Here are examples of using single and multiple`aud` claims in the`obtain-oidc-id-token` step.
220
+
221
+
* Single custom`aud` claim
222
+
```yaml
223
+
obtain_id_token:
224
+
title:Obtain ID Token
225
+
type:obtain-oidc-id-token
226
+
arguments:
227
+
AUDIENCE:"cosign"
228
+
```
229
+
230
+
* Multiple custom`aud` claim s
231
+
```yaml
232
+
obtain_id_token:
233
+
title: Obtain ID Token
234
+
type: obtain-oidc-id-token
235
+
arguments:
236
+
AUDIENCE: "cosign,acme,custom"
237
+
```
238
+
You can also do this via a simple API call in a `freestyle` step as follows:
* OIDC ID tokens expire after five minutes. If needed, you can request new OIDC ID tokens multiple times within the same pipeline, through the `obtain-oidc-id-token` step, or within a `freestyle` step with an API call.