Generate JWT token for OIDC authentication
How can I generate JWT tokens for OIDC authentication in a build job in TeamCity?
In Gitlab it works like this: https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html
There we use it to authenticate to GCP, leveraging its “Workload Identity Federation”. Now we want to do the same with our on premise TeamCity installation.
Unfortunately I found nothing in the documentation and I'm getting the feeling that we're out of luck and we'll have to write a custom plugin.
Please sign in to leave a comment.
I don't think there is such functionality. Could you give me more details on the scenario you'd like to achieve? I might be able to provide some alternatives.
Best regards,
Anton
Hi Anton,
thanks for your reply!
Currently our builds in TeamCity authenticate to GCP with service account keys that are configured as secret parameters in the build jobs.
For obvious reasons this solution is insecure and does not scale so we need to get rid of authentication by key and use authentication by identity.
Our favourite solution would be the mentioned authentication with OIDC leveraging JWT, called “Workload Identity Federation” in GCP. We already use this in Gitlab and it works like a charm. So we'd like to implement the same behaviour in TeamCity.
I already tried to write a plugin that provides a build feature which generates and supplies the appropriate JWT to the builds. But so far I only succeeded in generating the JWT in a standalone program but had no luck in crafting the plugin.
I could push the code to a repository, maybe this helps in understanding what needs to be done.
Best regards,
Sven
Thank you for the details. Did you already consider HashiCorp Vault for storing the tokens, keys, etc.? https://www.jetbrains.com/help/teamcity/2024.07/hashicorp-vault.html
It is considered more secure than having the keys stored as the parameters.
Regarding the OIDC auth workflow support, I recommend that you create a feature request and describe your scenario in our issue tracker: https://youtrack.jetbrains.com/issues/TW. It might be added to our roadmap in the future.
Best regards,
Anton
Hi Anton,
Yes, but we don't want to use Vault as there is a much better solution with OIDC and JWT.
Thanks for the hint to your issue tracker. I opened this issue: https://youtrack.jetbrains.com/issue/TW-89221/Support-OIDC-leveraging-JSON-Web-Tokens-JWT
Best regards,
Sven
Great, thank you for your contribution!
Best regards,
Anton
Fwiw, I created a plugin that creates the described JWT: https://github.com/muffl0n/teamcity-jwt-plugin/blob/main/jwt-plugin-server
It's still a POC so I'm happy about any feedback!