Bitbucket Pipelines OIDC Provider Support #1257
Comments
|
The dynamic issuer would be possible by using a wildcard (MetaIssuer) |
|
Hey, thanks for reaching out. Audience not being customizable is a blocker, so we will need to ask bitbucket to support customized audiences. The subject of the certificate will need to be a stable identifier, but I think we can work around this and look at other claims that are available to see if we can construct one. Check out the OID documentation for some ideas on a suitable cert subject. |
|
I've opened a discussion on Bitbucket's Community Board here regarding the configurable audience claim. Unfortunately Bitbucket is not too responsive from past experience. In the meantime I'll try to use a token exchange with a Google Cloud service account, i.e. Bitbucket Token -> Google Token -> Fulcio. |
Bitbucket recently added OIDC support for Bitbucket Pipelines. However it doesn't allow the user to change any of the claims, this means the audience is automatically set to
ari:cloud:bitbucket:workspace/<workspace uuid>.Here's an example taken from the Bitbucket documentation:
Before I start to write a provider for Bitbucket, I'd like to know whether it's feasible at all because Fulcio's documentation states that the
audclaim needs to be set tosigstore.Further constraints:
subis dynamic and changes on each pipeline run because it includes theBITBUCKET_STEP_UUIDissis also dynamic because it includes the organization's name in the URLThe text was updated successfully, but these errors were encountered: