## Scope Extend the `CI_JOB_JWT` token to provide generic, customizable OpenID Connect (OIDC) support within GitLab. ### Use cases - Log in to cloud service providers (AWS, GCP, Azure) from a CI job - Enable [signed artifacts using Fulcio](https://github.com/sigstore/fulcio/issues/243) ## Consideration - Discuss which claims need to be customizable and what the default values should be - Whenever a spec allows for [StringOrURI](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1), prefer to go with URI. ## References - [High-level overview on federated identities](https://www.hackedu.com/blog/analysis-of-common-federated-identity-protocols-openid-connect-vs-oauth-2.0-vs-saml-2.0) - [JWT spec](https://datatracker.ietf.org/doc/html/rfc7519) <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> *This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.* <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> ## Related epic As each epic can have only a single parent, there might be epics that have a different parent than this one, but are still related to this epic. They are listed below: - https://gitlab.com/groups/gitlab-org/-/epics/7193+