[Epic] Support GitHub OIDC authentication #14
Description
Currently, joining the Directory federation requires manual creation of join tokens, which limits accessibility and scalability. We want to enable any user to authenticate and join the federation—even from a local machine—using standard OIDC identity providers (GitHub, Google, etc.).
┌─────────────────┐ ┌─────────────────┐ ┌──────────────────┐ ┌─────────────────┐
│ OIDC Provider │ │ SPIRE Agent │ │ SPIRE Server │ │ Directory │
│ (GitHub) │ │ (User Node) │ │ │ │ │
└────────┬────────┘ └────────┬────────┘ └────────┬─────────┘ └────────┬────────┘
│ │ │ │
│ 1. Get OIDC token │ │ │
│◄──────────────────────│ │ │
│ │ │ │
│ 2. Present token for │ │ │
│ node attestation │ │ │
│ │──────────────────────►│ │
│ │ │ │
│ │ 3. Issue SVID │ │
│ │◄──────────────────────│ │
│ │ │ │
│ │ 4. Join federation with SVID │
│ │───────────────────────────────────────────────►│
Goals
- Remove manual join token provisioning
- Enable self-service federation onboarding
- Support Github OIDC provider (later we can explore AWS, Google, Azure AD)
Sub-issues
Metadata
Metadata
Labels
No labels
Type
Projects
Status