Jesse Glick

Not yet I am afraid.

> the secret get re-created on each jenkins redeploy Why would that be a problem? Jenkins would begin to serve the new public key from the OIDC discovery endpoint, and...

Ah external issuer. Yes I think some sort of cron job (whether inside Jenkins or out) which mirrors the current `https://jenkins/oidc/.well-known/openid-configuration` and (especially) `https://jenkins/oidc/jwks` to the web server is what...

> they're not automatically rotated during a Jenkins restart? They are not. This issue is about _recreating_ the controller from scratch, not a restart with configuration in place. > Can...

> I recreate the controller from scratch via CasC Hence this issue. Very different from merely restarting a controller, which should not rotate keypairs. > Even when an external issuer...

> _who is able to access_ your jenkins-hosting server Anyone with direct filesystem (shell) access to `$JENKINS_HOME` is presumed to be some sort of superuser who could also rewrite any...

https://github.com/jenkinsci/oidc-provider-plugin/compare/master...MadsJakobsen:oidc-provider-plugin:feature/add-extension-point-for-claims is the right idea, yes. (Would have a bunch of minor suggestions if that were a PR.) Would provide a cleaner way of implementing the likes of #16.

> a implementation of this while testing out a GCP deployment Sounds like you might use this plugin in anger. Do you feel like becoming a maintainer? I do not...

I do not exactly follow what sorts of claims you are looking to define and why you cannot already create them given https://github.com/jenkinsci/branch-api-plugin/blob/32f0861d6b50a9cbf39789f1d713e6979d412e4e/src/main/resources/jenkins/branch/BranchNameContributor/buildEnv.properties#L23-L37.

> it requires full qualified subject identifiers, i'd need to define every possible branch that would ever exist What I am not following is what `sub` (or set of possible...