Closed
Description
Over in #5296 (comment) we released that using Buildkite OIDC tokens with the API Key Roles feature was broken by the addition of a requirement for tokens to have a jti claim.
That's been addressed by Buildkite adding a jti claim to its OIDC tokens, but @segiddins suggested providing an example Buildkite OIDC token that could be used to create a regression test.
Here's a sample, decoded (using the jwt-cli npm package) so the claims are visible, then slightly redacted with example values:
✻ Header
{
"kid": "f4b821837b4edcba56136f22f37ee6969520df23407126cce188d4141c015d68",
"alg": "RS256"
}
✻ Payload
{
"iss": "https://agent.buildkite.com",
"sub": "organization:example-org:pipeline:example-pipeline:ref:refs/heads/main:commit:b5ffe3aeea51cec6c41aef16e45ee6bce47d8810:step:",
"aud": "rubygems.org",
"iat": 1736757460,
"nbf": 1736757460,
"exp": 1736757760,
"jti": "0194b014-8517-7cef-b232-76a827315f08",
"organization_slug": "example-org",
"pipeline_slug": "example-pipeline",
"build_number": 5,
"build_branch": "main",
"build_tag": null,
"build_commit": "b5ffe3aeea51cec6c41aef16e45ee6bce47d8810",
"step_key": null,
"job_id": "01945ecf-80f0-41e8-9b83-a2970a9305a1",
"agent_id": "01945ecf-8bcf-40a6-9d70-a765db9a0928",
"build_source": "ui",
"runner_environment": "buildkite-hosted"
}
Metadata
Metadata
Assignees
Labels
No labels