Skip to content

Separate trust domain and issuer fields in SPIFFE identity provider #43408

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mattbates wants to merge 5 commits into from
Closed

Separate trust domain and issuer fields in SPIFFE identity provider #43408

mattbates wants to merge 5 commits into from

Conversation

@mattbates
Copy link

@mattbates mattbates commented Oct 13, 2025
edited
Loading

Currently, the SPIFFE identity provider (in preview) assumes the issuer (iss) in a JWT-SVID token is the SPIFFE trust domain when looking up the identity provider. However, in some cases, it is not feasible for the issuer to be the same as the trust domain; in implementations like SPIRE, it may be necessary for the iss to be an HTTPS URL such that it can be used by federated systems for key verification.

This PR proposes separating out the trust domain and the issuer.

@mattbates mattbates requested a review from a team as a code owner October 13, 2025 13:22
@stianst stianst self-assigned this Oct 13, 2025
stianst
stianst reviewed Oct 13, 2025
View reviewed changes
Copy link
Contributor

@stianst stianst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not that it assumes the iss claim is the same as trust domain, rather it assumes there is no iss claim.

I think the correct approach here is to simply ignore the iss claim in the case of SPIFFE SVIDs. I'll get a PR together for that tomorrow probably, and probably close this one as I don't think this is the right approach.

@mattbates
Copy link
Author

mattbates commented Oct 13, 2025
edited
Loading

Thanks for the feedback, @stianst; this is my first time looking at Keycloak code!

it assumes there is no iss claim

Agreed, and it's noted as being optional.

I was referring to when the iss claim is set, it currently uses that to look up the provider (ie the iss claim being the trust domain). That was tripping me up with a POC implementation with SPIRE, causing an NPE (as per #43394).

https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/broker/spiffe/SpiffeIdentityProvider.java#L66
https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/broker/spiffe/SpiffeIdentityProviderConfig.java#L43-L45

I think the correct approach here is to simply ignore the iss claim in the case of SPIFFE SVIDs

I think that makes sense.

@stianst
Copy link
Contributor

stianst commented Oct 15, 2025

Closing as with #43428 we are now ignoring the iss claim completely.

@stianst stianst closed this Oct 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stianst stianst stianst left review comments

Assignees

@stianst stianst

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mattbates @stianst