Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Proposal: GitHub username identities with the GitHub IdP #1283

New issue
New issue
Open
Open
Proposal: GitHub username identities with the GitHub IdP#1283
Labels
enhancementNew feature or request
@woodruffw

Description

@woodruffw
woodruffw
opened on Jul 18, 2023

Summarizing a thread on Slack:

Currently, when users sign with Sigstore via the GitHub IdP (i.e., federated through Dex), they get an identity token that's bound to the primary email identity for their GitHub account. This is fine in many circumstances, but not fine in others:

  1. Many GitHub users have multiple emails on their accounts, with the "primary" email not reflecting the identity they intend to sign with. For example: work emails, project-specific emails, etc. This can result in surprising scenarios for users; cf. Incorrect information in https://www.python.org/download/sigstore/ sigstore-python#600 (comment)
  2. Not all GitHub users mark their email address as public, and instead prefer to use one of GitHub's "noreply" aliases. However, signing with Sigstore through the GitHub IdP leaks their primary email; this poses anonymity and privacy concerns.
  3. Conceptually, email identities coming from GitHub's IdP are a little "wonky": GitHub isn't itself an email service provider, so these identities reflect the result of GitHub's trust relationship with an email identity (which, in turn, is probably tied to a conventional email verification flow).

This raises the question: what Sigstore used GitHub usernames from the GitHub IdP, rather than emails? This presents some advantages, as well as some challenges:

  1. Advantage: (1) and (2) are "resolved" in the sense that there are no emails anymore: users would instead be signing with an identity that looks like woodruffw!github.com.
  2. Advantage: In many contexts, signing with a GitHub username makes more sense than with the user's underlying primary email: GitHub identities more closely track developer identities than emails do, since emails can be reused by companies, etc.
  3. Challenge: How do we communicate this? User identities are a fuzzier concept than emails, and this would be the first instance of Sigstore actually using them (AFAIK).
  4. Challenge: How do we prevent client breakage? Not all clients necessarily support user identities yet.

As noted by @bobcallaway, this would require some changes to Dex (configuration only, possibly): we'd need to switch to useLoginAsID: https://dexidp.io/docs/connectors/github/#configuration

cc @sethmlarson @wlynch @haydentherapper additionally as Slack convo members 🙂

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions