[META] OIDC federation roadmap for Warehouse · Issue #12465 · pypi/warehouse (original) (raw)

This is meta-issue, tracking different strands of development/design for Warehouse's use of OIDC.

Goals

There are two high-level goals for Warehouse's OIDC work:

  1. Enable "OIDC macaroon minting" for a handful of CI providers, enabling users to configure trusted repositories via OIDC instead of manually provisioning API tokens
  2. Add support for an OIDC IdP to PyPI, allowing it to become its own identity provider for ecosystems like Sigstore

Task 2 is tracked separately under #12466. No longer planned.

Task 1: OIDC macaroon minting

This task has two subtasks: core OIDC support work, and individual support for each CI provider's OIDC IdP.

Core OIDC support work

The core work required for OIDC JWT consumption is tracked under https://github.com/pypi/warehouse/projects/4, and is almost entirely complete (but currently disabled via a feature flag). Some of the key work included additional models and services for OIDC state management, as well as a general refactor of Warehouse's AuthN/AuthZ layers to use Pyramid 2.0-style APIs.

Core refs:

GitHub OIDC macaroon minting

This is also tracked under https://github.com/pypi/warehouse/projects/4.

Core refs:

Once #11272 is merged, this will be functionally complete (but again, disabled via a feature flag).

One sidecar feature is OIDC tokens from reusable workflows. This is tracked in #11096.

Adjacent tasks

Separately from these two tasks, there are also separate issues that track usability/UX changes that the OIDC work would benefit from.

Core refs:

CircleCI trusted publishing

This is still in the planning phase.

Google trusted publishing

This is tracked under #13551.

GitLab trusted publishing

This is tracked under #13575.