Skip to content

Using JWT Token Authentication #286

New issue
New issue
Closed
Closed
Using JWT Token Authentication#286
@nicoklaus

Description

@nicoklaus
nicoklaus
opened on Nov 27, 2024

Hi there! I'm using the AzureSignTool via GitLab to retrieve a certificate from an Azure Vault and sign the software artifact. As we have lots of projects that need to be signed with different certificates and Vaults, we thought it would be a great idea to switch from client secret authentication to OIDC. This would make everything more transparent and reduce the maintenance work that we have to do, like secret rotation.

However, I did have a little bit of trouble getting it to work, as there doesn't seem to be an obvious way to authenticate the AzureSignTool via JWT tokens. I first tried using it as an access token, but as I learned, they are not the same.

https://devblogs.microsoft.com/identity/access-tokens-and-id-tokens/

Then I tried to authenticate first and generate an access token for the Azure Sign Tool, but there were a few hiccups with the wrong audience, etc. as the claim was done by GitLab. I also gave it a go using it as a client secret, which was bound to fail, but I was feeling a little desperate 😆

I then came across the defaultazurecredential object and with using the managed identity authorization, combined with a login and JWT token like in retrieve-a-temporary-credential, I finally got the authentication to work!

sign:test:
  image: azure-sign-tool:latest
  stage: sign
  id_tokens:
    GITLAB_OIDC_TOKEN:
      aud: 'https://gitlab.com'
  before_script:
    - az login --service-principal -u $AZURE_CLIENT_ID --tenant $AZURE_TENANT_ID --federated-token $GITLAB_OIDC_TOKEN
  script:
    - >
      azuresigntool sign 
      --azure-key-vault-url https://example.vault.azure.net/
      --azure-key-vault-managed-identity
      --azure-key-vault-certificate example-certificate
      --timestamp-rfc3161 http://timestamp.digicert.com 
      --verbose 
      hello-world.exe

I thought this was an interesting usecase as oidc is becoming more and more popular in the CI environment. I can briefly add it to the README, but I wanted to make sure that it fits into the scope of the project or the documentation. The pull request would of course be primarily about federated token authentication and not about GitLab.

Thanks a lot for the work on these tool 👍

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions