feat:(oidc) derive audience claim from client_id in IdentityToken

SequeI · SequeI · commit 6fc943c34e68 · 2025-05-22T11:09:28.000+01:00
Signed-off-by: SequeI &lt;asiek@redhat.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,9 @@ All versions prior to 0.9.0 are untracked.
 
 * Added support for ed25519 keys.
   [#1377](https://github.com/sigstore/sigstore-python/pull/1377)
+* Added client_id as the audience (aud) claim when initializing IdentityToken
+  [#1402](https://github.com/sigstore/sigstore-python/pull/1402)
+
 
 ### Fixed
 
diff --git a/sigstore/_cli.py b/sigstore/_cli.py
@@ -238,7 +238,6 @@ def _add_shared_oidc_options(
         help="Force an out-of-band OAuth flow and do not automatically start the default web browser",
     )
 
-
 def _parser() -> argparse.ArgumentParser:
     # Arguments in parent_parser can be used for both commands and subcommands
     parent_parser = argparse.ArgumentParser(add_help=False)
diff --git a/sigstore/oidc.py b/sigstore/oidc.py
@@ -41,8 +41,8 @@
     "https://oauth2.sigstage.dev/auth": "email",
     "https://token.actions.githubusercontent.com": "sub",
 }
-_DEFAULT_AUDIENCE = "sigstore"
 
+_DEFAULT_AUDIENCE = "sigstore"
 
 class _OpenIDConfiguration(BaseModel):
     """
@@ -66,7 +66,7 @@ class IdentityToken:
     a sensible subject, issuer, and audience for Sigstore purposes.
     """
 
-    def __init__(self, raw_token: str) -> None:
+    def __init__(self, raw_token: str, client_id: str) -> None:
         """
         Create a new `IdentityToken` from the given OIDC token.
         """
@@ -90,7 +90,7 @@ def __init__(self, raw_token: str) -> None:
                     # See: https://openid.net/specs/openid-connect-basic-1_0.html#IDToken
                     "require": ["aud", "sub", "iat", "exp", "iss"],
                 },
-                audience=_DEFAULT_AUDIENCE,
+                audience=client_id,
                 # NOTE: This leeway shouldn't be strictly necessary, but is
                 # included to preempt any (small) skew between the host
                 # and the originating IdP.
@@ -350,7 +350,7 @@ def identity_token(  # nosec: B107
         if token_error is not None:
             raise IdentityError(f"Error response from token endpoint: {token_error}")
 
-        return IdentityToken(token_json["access_token"])
+        return IdentityToken(token_json["access_token"], client_id)
 
 
 class IdentityError(Error):

Original file line number	Diff line number	Diff line change
`@@ -238,7 +238,6 @@ def _add_shared_oidc_options(`
`238`	`238`	`help="Force an out-of-band OAuth flow and do not automatically start the default web browser",`
`239`	`239`	`)`
`240`	`240`
`241`		`-`
`242`	`241`	`def _parser() -> argparse.ArgumentParser:`
`243`	`242`	`# Arguments in parent_parser can be used for both commands and subcommands`
`244`	`243`	`parent_parser = argparse.ArgumentParser(add_help=False)`