sigstore-python icon indicating copy to clipboard operation
sigstore-python copied to clipboard
verified publisher icon sigstore

Allow setting of redirect uri port

Open ashearin opened this issue 1 year ago • 2 comments

Description

I'm attempting to leverage sigstore-python library for an enterprise signing/verification tool. Working on a proof of concept resulted in this small example:

from sigstore.oidc import Issuer

issuer = Issuer("https://auth.company.com/")

identity = issuer.identity_token(client_id= "signaturevalidationtool", client_secret="super-secret")

Went through the process of setting up an app with our oauth manager to facilitate authentication, however the redirect URI cannot use wildcards with localhost ports. This security configuration choice leaves me stuck, since sigstore-python uses ephemeral ports.

Could we add add the ability to specify this redirect URI? Cosign already has a flag for this

ashearin avatar May 21 '24 16:05 ashearin

Thanks for filing this @ashearin!

Yes, I think exposing this would be fine -- IMO we should expose it only via the API for now and then think about an appropriate CLI option (I've been trying to minimize the number of CLI flags used to configure Sigstore's underlying instances, so we could maybe get this added to the trust configuration or similar instead).

If you send a PR for this, I'd be happy to review and merge it 🙁. Otherwise I'll attempt this in the next few weeks (I'm traveling with limited computer access until early June).

woodruffw avatar May 22 '24 09:05 woodruffw

With regards to CLI tool options I agree that a flag should not be added for something like this... However, this fits SigningConfig really well: if it was added there, sigstore-python could support that through the already existing --trust-config flag

jku avatar May 24 '24 15:05 jku