logo

Who Are You? I Really Want to Know… the Magic Behind OIDC

Authors:   Eddie Zaneski


Summary

The presentation discusses the evolution of machine-to-machine authentication beyond the need for OAuth and the importance of verifying token claims to ensure security.
  • OAuth is no longer necessary for machine-to-machine authentication
  • Verifying token claims is crucial for security
  • Anyone can mint a valid OIDC token, but verifying the claims inside is important
  • An anecdote is given about a service that mints tokens with whatever URL parameters are passed in
  • AWS demo is used to show how to assume a role with web identity
The presenter created a service called trustme.dev that mints tokens with whatever URL parameters are passed in. This demonstrates the importance of verifying token claims to ensure security.

Abstract

Open ID Connect, or OIDC, is a mechanism for identity authentication. It is built on top of OAuth 2.0 and is used to establish and verify the identity of a user or service. OIDC is used throughout the Cloud Native world for workload identity federation. This allows your CI pipeline to obtain an API token for your cloud provider without the need to provision long-lived secrets. In this talk, you will learn the ins and outs of how OIDC works. You'll understand the spec and how you can use machine identities to secure your workloads. You'll also see examples of what's possible with OIDC from open source projects like Kubernetes, SPIFFE/SPIRE, and Sigstore.

Materials:

Tags: