Skip to content

SPIFFE should support OIDC JWK endpoint #43650

New issue
New issue
Closed
enhancement
#43651
Closed
SPIFFE should support OIDC JWK endpoint#43650
enhancement
#43651
Labels
kind/enhancementCategorizes a PR related to an enhancementrelease/26.4.2release/26.5.0
Milestone
26.5.0
@stianst

Description

@stianst
stianst
opened on Oct 22, 2025

Description

SPIFFE/SPIRE can be configured to either expose the bundle endpoint or using the OIDC plugin. Neither are exposed by default.

The OIDC plugin exposes JWKS where the JWK does not have a use claim, while the bundle endpoint has use=jwt-svid. We should also support use=sig as that is frequently used by OIDC compliant vendors, and may be used by some SPIFFE implementations.

Value Proposition

Allow using a wider range of SPIFFE vendors without requiring specific configuration to use with Keycloak

Goals

  • Support use=sig and no use claim

Non-Goals

Discussion

No response

Notes

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/enhancementCategorizes a PR related to an enhancementrelease/26.4.2release/26.5.0

    Type

    enhancement

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions