issuance: Authenticate certificate requests based on OIDC token claims

[sfox-equinix]

fulcio does not currently provide a way to authenticate certificate requests using specific OIDC token claim values. As a result, configuring fulcio to trust GitHub's OIDC issuer means fulcio trusts requests from any GitHub Actions pipeline.

Context

This behavior is problematic for users that self-host their own fulcio instances. Self-hosted operators may want to limit requests to particular pipelines (e.g., pipelines belonging to a handful of GitHub organizations).

For example, GitHub Actions' OIDC token contains a repository_owner claim which is set to the name of the pipeline's GitHub organization. If fulcio provided a way to require the repository_owner claim match certain values, then operators could restrict requests to specific GitHub organizations.

Possible implementations

In speaking with Bob Callaway and Hayden B. on Slack, they raised the possibility of implementing policies using regex:

Hayden B:

I think the simplest solution would be a regex for accepted subjects on the config -
https://github.com/sigstore/fulcio/blob/main/pkg/config/config.go#L93.
We could limit this just to CIProvider configuration too

[arber-salihi]

Hey @sfox-equinix,

I've opened pull request #2135 that implements claims-based authorization for private deployments, directly addressing the regex validation approach suggested in this issue. The implementation allows filtering on any OIDC token claim using configurable regex patterns.

We've been in need of this feature for our own deployment and initially implemented authorization logic using Envoy filters via Istio in our Kubernetes cluster. However, we wanted to add this functionality directly into Fulcio as it's more natural and, more importantly, so other organizations can benefit from what we believe is an important feature.

Please feel free to share your thoughts on the approach and any suggestions for improvement.

Thanks!