Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Demo of external issuer #11

Open
jglick opened this issue May 10, 2022 · 5 comments
Open

Demo of external issuer #11

jglick opened this issue May 10, 2022 · 5 comments
Labels
documentation Improvements or additions to documentation

Comments

@jglick
Copy link
Member

jglick commented May 10, 2022

Never managed to adjust the AWS demo to use an external issuer because neither GCS nor GitHub Pages worked (#8 (comment)), so we need a different free hosting site with TLS and support for Content-Type. render.com looks promising.
@jglick jglick added the documentation Improvements or additions to documentation label May 10, 2022
@elinesterov
Copy link

What is an external issuer in this context? I cannot see any options in the code to rely on the non-jenkins oidc plugin to do JWT signing. Does this reference to the fact that I'll host my opened configuration and JWKS on another URL (e.g., serving from S3 bucket?)

I would suggest renaming external issuer in this case to something like oidc metadata location to avoid confusion.

As a side note:

AWS secures communication with some OIDC identity providers (IdPs) through our library of trusted root certificate authorities (CAs) instead of using a certificate thumbprint to verify your IdP server certificate. These OIDC IdPs include Auth0, GitHub, Google, and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS) endpoint. In these cases, your legacy thumbprint remains in your configuration, but is no longer used for validation.

AWS updated documentation that probable after issue were filed. Sif you put JWKS and openiid-connect to S3 bucket you don't need to deal with thumbrints.

@jglick
Copy link
Member Author

jglick commented Sep 7, 2023

Basically it just means picking some URL unrelated to the Jenkins controller, hosting two static files there (the OIDC well-known metadata and the JWKS), and configuring the issuer in the Jenkins credentials entry to point to this external URL rather than the Jenkins root URL.

It sounds simple but the server need to have a proper TLS certificate and the relying party may be finicky about Content-Type headers, and for purposes of a demo anyone could run I was hoping for some sort of freemium service with easy signup. GH Pages would have been a good choice (anyone with a GH account can publish with little hassle) but sent the wrong content type because it only pays attention to file extension and the OIDC spec requires the well-known endpoint to be JSON but not a *.json URL, to my frustration.

@elinesterov
Copy link

elinesterov commented Sep 7, 2023
edited by jglick
Loading

Thank you for the clarification @jglick

It sounds simple

I know how complicated it is :) especially regarding content type which is not a part of the spec but many enforce its validation (for multiple reasons).

@jglick
Copy link
Member Author

jglick commented Oct 26, 2023

https://www.acorn.io/pricing might work well enough for demo purposes.

@jglick jglick mentioned this issue Dec 11, 2023
Open
@jglick
Copy link
Member Author

jglick commented Dec 2, 2024

Recheck after #26.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jglick @elinesterov