Over the last couple of days I was trying to implement OIDC authentication for our CircleCI workloads.
After reading the documentation about the new OIDC token I realized the additional claims to be incompatible with googles attribute mapping representation. Using
oidc.circleci.com/project-id as an assertion (
assertion.oidc.circleci.com/project-id) results in an error complaining about the format not being valid.
I would like to know why the keys for the additional claims are formatted as they are and how it will be possible to map them accordingly in order to use them as a scope for the PrincipalSet in the Service Account Mappings.
If the additional claims would be keyed as
context_ids everything would be fine