feat: adding --oidc-audience (aud) claim configuration options

Signed-off-by: SequeI <asiek@redhat.com>

Author: SequeI

CHANGELOG.md

@@ -12,6 +12,9 @@ All versions prior to 0.9.0 are untracked.
 
 * Added support for ed25519 keys.
   [#1377](https://github.com/sigstore/sigstore-python/pull/1377)
+* Added --oidc-audience for using a custom oidc clients aud claim. helps if a user has a custom client id and needs to match this aud.
+  [#1402](https://github.com/sigstore/sigstore-python/pull/1402)
+
 
 ### Fixed
 

README.md

@@ -126,6 +126,8 @@ OpenID Connect options:
   --oauth-force-oob     Force an out-of-band OAuth flow and do not
                         automatically start the default web browser (default:
                         False)
+  --oidc-audience       Expected audience (`aud`) claim in the token to
+                        validate against (default: None)
 
 Output options:
   --no-default-files    Don't emit the default output files

sigstore/_cli.py

@@ -238,6 +238,13 @@ def _add_shared_oidc_options(
         default=_boolify_env("SIGSTORE_OAUTH_FORCE_OOB"),
         help="Force an out-of-band OAuth flow and do not automatically start the default web browser",
     )
+    group.add_argument(
+        "--oidc-audience",
+        metavar="AUDIENCE",
+        type=str,
+        default=os.getenv("SIGSTORE_OIDC_AUDIENCE"),
+        help="Expected audience (`aud`) claim in the token to validate against",
+    )
 
 
 def _parser() -> argparse.ArgumentParser:
@@ -1190,6 +1197,7 @@ def _get_identity(args: argparse.Namespace) -> Optional[IdentityToken]:
         client_id=args.oidc_client_id,
         client_secret=args.oidc_client_secret,
         force_oob=args.oauth_force_oob,
+        audience=args.oidc_audience,
     )
 
     return token

sigstore/oidc.py

@@ -44,8 +44,8 @@
     "https://oauth2.sigstage.dev/auth": "email",
     "https://token.actions.githubusercontent.com": "sub",
 }
-_DEFAULT_AUDIENCE = "sigstore"
 
+_DEFAULT_AUDIENCE = "sigstore"
 
 class _OpenIDConfiguration(BaseModel):
     """
@@ -69,13 +69,16 @@ class IdentityToken:
     a sensible subject, issuer, and audience for Sigstore purposes.
     """
 
-    def __init__(self, raw_token: str) -> None:
+    def __init__(self, raw_token: str, client_id: str, audience: Optional[str] = None) -> None:
         """
         Create a new `IdentityToken` from the given OIDC token.
         """
 
         self._raw_token = raw_token
 
+        # Determine the correct audience to use
+        resolved_audience = audience or client_id or _DEFAULT_AUDIENCE
+
         # NOTE: The lack of verification here is intentional, and is part of
         # Sigstore's verification model: clients like sigstore-python are
         # responsible only for forwarding the OIDC identity to Fulcio for
@@ -93,7 +96,7 @@ def __init__(self, raw_token: str) -> None:
                     # See: https://openid.net/specs/openid-connect-basic-1_0.html#IDToken
                     "require": ["aud", "sub", "iat", "exp", "iss"],
                 },
-                audience=_DEFAULT_AUDIENCE,
+                audience=resolved_audience,
                 # NOTE: This leeway shouldn't be strictly necessary, but is
                 # included to preempt any (small) skew between the host
                 # and the originating IdP.
@@ -290,6 +293,7 @@ def identity_token(  # nosec: B107
         client_id: str = "sigstore",
         client_secret: str = "",
         force_oob: bool = False,
+        audience: Optional[str] = None
     ) -> IdentityToken:
         """
         Retrieves and returns an `IdentityToken` from the current `Issuer`, via OAuth.
@@ -367,7 +371,7 @@ def identity_token(  # nosec: B107
         if token_error is not None:
             raise IdentityError(f"Error response from token endpoint: {token_error}")
 
-        return IdentityToken(token_json["access_token"])
+        return IdentityToken(token_json["access_token"], client_id, audience)
 
 
 class IdentityError(Error):