Skip to content

[S7] Implement OIDC token exchange endpoint #67

Open
Open
[S7] Implement OIDC token exchange endpoint#67
Labels
github-integrationGitHub App + Action integrationoidcOIDC / keyless authenticationsecuritySecurity hardeningsprint-7Sprint 7: OIDC, Observability & Hardening
@krakenhavoc

Description

@krakenhavoc
krakenhavoc
opened on Apr 1, 2026

Description

Enable keyless authentication from GitHub Actions via OIDC.

Endpoint

POST /v1/auth/github-oidc

Flow

  1. Action sends GitHub OIDC JWT
  2. Backend fetches GitHub JWKS from https://token.actions.githubusercontent.com/.well-known/jwks
  3. Verify JWT signature, expiry, audience
  4. Extract claims: repository, repository_owner, ref, sha
  5. Map repository_owner → KrakenKey installation → account
  6. Issue short-lived KrakenKey access token (15 min TTL)

Security

  • Cache JWKS with TTL (1 hour)
  • Validate aud claim matches KrakenKey API URL
  • Token scoped to the specific installation (can't access other accounts)
  • Log all token exchanges

Acceptance Criteria

  • Valid GitHub OIDC tokens produce KrakenKey access tokens
  • Invalid/expired tokens are rejected
  • Token is scoped to correct installation/account
  • JWKS is cached
  • Works end-to-end from GitHub Actions

Metadata

Metadata

Assignees

No one assigned

    Labels

    github-integrationGitHub App + Action integrationoidcOIDC / keyless authenticationsecuritySecurity hardeningsprint-7Sprint 7: OIDC, Observability & Hardening

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions