Allow Warehouse to become its own (OIDC) IdP · Issue #12466 · pypi/warehouse (original) (raw)

This is broken out from #12465, since it's not closely related to the other engineering work in terms of scope or requirements.

OIDC IdP support for PyPI

This task requires PyPI to become an identity provider (IdP), specifically supporting OAuth2 flows that produce OIDC-compatible JWTs. These OIDC tokens must serve as proof of possession/identity for a given PyPI account.

Core engineering subtasks:

• Dependency review and collection (selecting a high-quality OAuth2/OIDC server library)
• Secret initialization and management (reusing Warehouse's existing Vault infrastructure for the OAuth secrets)
• Core development (actually building the API endpoints that'll handle the OAuth2/OIDC flow; integrating them into PyPI's extant AuthN/AuthZ components)
• Testing and end-user documentation