Generate JWT token for OIDC authentication

How can I generate JWT tokens for OIDC authentication in a build job in TeamCity?

In Gitlab it works like this: https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html

There we use it to authenticate to GCP, leveraging its “Workload Identity Federation”. Now we want to do the same with our on premise TeamCity installation.

Unfortunately I found nothing in the documentation and I'm getting the feeling that we're out of luck and we'll have to write a custom plugin.

0
6 comments
Hi,

I don't think there is such functionality. Could you give me more details on the scenario you'd like to achieve? I might be able to provide some alternatives.

Best regards,
Anton
0

Hi Anton,

thanks for your reply!

Currently our builds in TeamCity authenticate to GCP with service account keys that are configured as secret parameters in the build jobs. 

For obvious reasons this solution is insecure and does not scale so we need to get rid of authentication by key and use authentication by identity.

Our favourite solution would be the mentioned authentication with OIDC leveraging JWT, called “Workload Identity Federation” in GCP. We already use this in Gitlab and it works like a charm. So we'd like to implement the same behaviour in TeamCity.

I already tried to write a plugin that provides a build feature which generates and supplies the appropriate JWT to the builds. But so far I only succeeded in generating the JWT in a standalone program but had no luck in crafting the plugin.

 

I could push the code to a repository, maybe this helps in understanding what needs to be done.

 

Best regards,

Sven

0
Hi Sven,

Thank you for the details. Did you already consider HashiCorp Vault for storing the tokens, keys, etc.? https://www.jetbrains.com/help/teamcity/2024.07/hashicorp-vault.html
It is considered more secure than having the keys stored as the parameters.

Regarding the OIDC auth workflow support, I recommend that you create a feature request and describe your scenario in our issue tracker: https://youtrack.jetbrains.com/issues/TW. It might be added to our roadmap in the future.

Best regards,
Anton
0

Hi Anton,

Did you already consider HashiCorp Vault for storing the tokens, keys, etc.?

Yes, but we don't want to use Vault as there is a much better solution with OIDC and JWT.

Thanks for the hint to your issue tracker. I opened this issue: https://youtrack.jetbrains.com/issue/TW-89221/Support-OIDC-leveraging-JSON-Web-Tokens-JWT

 

Best regards,

Sven

0
Dear Sven,

Great, thank you for your contribution!

Best regards,
Anton
0

Fwiw, I created a plugin that creates the described JWT: https://github.com/muffl0n/teamcity-jwt-plugin/blob/main/jwt-plugin-server

 

It's still a POC so I'm happy about any feedback!

0

Please sign in to leave a comment.