Feature #63718
openSTS integration with Spiffe/Spire
0%
Updated by Casey Bodley 5 months ago
from Adam B in #ceph-devel slack https://ceph-storage.slack.com/archives/C1HFZTW81/p1701452630490429:
Hi All,
Let me share my findings on SPIFFE with RGW.
In the SPIFFE world a workload can authenticate by calling the SPIRE Workload API to request an SVID. JWT SVIDs can be used for OIDC federation, since they comply with the ID token specs. RGW is not too far from supporting OIDC federation with JWT SVIDs, but some gaps need to be filled:
- RGW assumes the presence of an optional x5c member in the signing key for token validation, and doesn’t support bare JWKs. SPIRE uses bare JWKs.
- RGW doesn’t match the right signing key using the “kid” parameter, it picks the first certificate instead. Signing keys might be at any position in the keys JSON array returned by an OIDC discovery endpoint.
I used this guide to set up SPIRE locally: https://spiffe.io/docs/latest/try/getting-started-linux-macos-x/
And used this sample OIDC discovery provider: https://github.com/spiffe/spire/tree/main/support/oidc-discovery-provider
For a comprehensive OIDC federation tutorial with AWS, see https://spiffe.io/docs/latest/keyless/oidc-federation-aws/