Include raw subject in certificates#2307
Merged
Merged
Conversation
ce25008 to
b475c7c
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2307 +/- ##
===========================================
- Coverage 57.93% 45.10% -12.84%
===========================================
Files 50 72 +22
Lines 3119 4705 +1586
===========================================
+ Hits 1807 2122 +315
- Misses 1154 2344 +1190
- Partials 158 239 +81 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
b475c7c to
59bcaa4
Compare
Sometimes identities have a different identifier that isn't captured by existing certificates, usually because the identifier isn't useful as a human friendly reference. For example - GCP accounts have an opaque numerical identifier. That said, subject is particularly useful to preserve since OIDC spec requires (issuer, subject) to be the canonical representation for an identity, and sometimes these opaque identifiers can be difficult to otherwise resolve. This change preserves the incoming subject as-is. While this may result in some duplicative data for some providers, this helps give a consistent reference point across OIDC issuers. Signed-off-by: Billy Lynch <billy@chainguard.dev>
59bcaa4 to
f300592
Compare
Hayden-IO
reviewed
Mar 31, 2026
Hayden-IO
left a comment
Contributor
There was a problem hiding this comment.
Thanks, this looks good! No concerns from me with including subject in a custom extension!
Can you update e2e tests in https://github.com/sigstore/fulcio/blob/main/pkg/server/grpc_server_test.go as well?
Member
Author
|
Done! |
Signed-off-by: Billy Lynch <billy@chainguard.dev>
e730ebe to
31e0d52
Compare
Member
Author
|
@Hayden-IO thanks! anything else I need to do on my end to help set up the oid-info documentation? |
Contributor
|
Nope, the doc update here LGTM! We'll just need to cut a new release. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Sometimes identities have a different identifier that isn't captured by existing certificates, usually because the identifier isn't useful as a human friendly reference. For example - GCP accounts have an opaque numerical identifier.
That said, subject is particularly useful to preserve since OIDC spec requires (issuer, subject) to be the canonical representation for an identity, and sometimes these opaque identifiers can be difficult to otherwise resolve.
This change preserves the incoming subject as-is. While this may result in some duplicative data for some providers, this helps give a consistent reference point across OIDC issuers.
Fixes #973
Release Note
subas a new OID extension in issued certificates, which contains the token subject as-isDocumentation
Will need some assistance reserving the OID value upstream.