Restrict AWS OIDC when ssh-rerun is True

Integrations and Accounts
1

I have tried to add a policy on AWS to restrict tokens with oidc.circleci.com/ssh-rerun: True without luck.

When I go to https://oidc.circleci.com/org/{org_id}/.well-known/openid-configuration
I see:

{
  "request_uri_parameter_supported": false,
  "claims_supported": [
    "aud",
    "sub",
    "iss",
    "iat",
    "exp",
    "oidc.circleci.com/project-id",
    "oidc.circleci.com/context-ids",
    "oidc.circleci.com/vcs-ref",
    "oidc.circleci.com/vcs-origin"
  ],
  "subject_types_supported": [
    "public",
    "pairwise"
  ],
  "scopes_supported": [
    "openid"
  ],
  "issuer": "https://oidc.circleci.com/org/{org_id}}",
  "response_types_supported": [
    "id_token"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "jwks_uri": "https://oidc.circleci.com/org/{org_id}}/.well-known/jwks-pub.json",
  "service_documentation": "https://circleci.com/docs/2.0/openid-connect-tokens/"
}

Is it missing oidc.circleci.com/ssh-rerun inside claims_supported?

I have run inside a CircleCI SSH job echo $CIRCLE_OIDC_TOKEN_V2:

{
  "aud": "...",
  "exp": ...,
  "iat": ...,
  "iss": "https://oidc.circleci.com/org/{org_id}",
  "oidc.circleci.com/context-ids": [],
  "oidc.circleci.com/project-id": "{project_id}",
  "oidc.circleci.com/ssh-rerun": true,
  "oidc.circleci.com/vcs-origin": "{vcs_name}/{org_name}/{repo_name}",
  "oidc.circleci.com/vcs-ref": "refs/heads/{branch_name}",
  "sub": "org/{org_id}/project/{project_id}/user/{user_id}/vcs-origin/{vcs_name}/org_name/{repo_name}/vcs-ref/refs/heads/{branch_name}"
}

So oidc.circleci.com/ssh-rerun is there. Same with echo $CIRCLE_OIDC_TOKEN

Any suggestion?

2

organization admins can request the debugging with SSH feature to be disabled on an organization and/or project level.

If you are on a plan that includes ticket based support, please open a ticket and we can help you with disabling this feature.

Let us know if you have any follow up questions. Cheers!

3

Hey,

Can you please add entry to claims_supported to provide proper support for claim that is official in docs?

When you go to: https://oidc.circleci.com/org/{org_id}/.well-known/openid-configuration
you can see this:

{
  "claims_supported": [
    "aud",
    "sub",
    "iss",
    "iat",
    "exp",
    "oidc.circleci.com/project-id",
    "oidc.circleci.com/vcs-origin"
    "oidc.circleci.com/vcs-ref",
    "oidc.circleci.com/context-ids",
  ],
....
}

but official docs state one more entry - oidc.circleci.com/ssh-rerun :

The OpenID Connect ID tokens also contain some additional claimswith extra metadata about the job:

Additional claims Metadata
oidc.circleci.com/ssh-rerun A boolean indicating if the CI job is started using the SSH rerun feature.

(source: https://circleci.com/docs/openid-connect-tokens/#format-of-the-openid-connect-id-token )

I think all supported claims should be reported by https://oidc.circleci.com/org/{org_id}/.well-known/openid-configuration to have correct oauth integration.

1 Like