sigstore
sigstore copied to clipboard
sigstore
Entra ID OICDIssuer cannot return boolean claims in IDToken
Hi guys👋,
We are currently in the process of setting up my own sigstore with scaffold. As our oidc issuer we want to use a custom application in Azure Entra ID.
In entra id you have to set up custom claims to return fields like email and email_validated. Unfortunately these claims cannot have a boolean value, but are either numbers or string.
For that reason when we try to sign with cosign the GetIDToken method in the oauthflow/flow.go method returns the error:
(main.go:74: error during command execution: signing [...]: getting signer: getting key from Fulcio: retrieving cert: json: cannot unmarshal string into Go struct field claims.email_verified of type bool)
I would do the implementation of allowing both string and boolean values for email_validated if there are no concerns why this should not be done.
I would propose using a custom Unmarshal that allows both bool and str, or making the Verified field an interface.
Thanks :smile:
https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims shows email_verified as a boolean.... so should a bug be opened to make Entra compliant with the spec?
