Lib.rs

Authentication
#openid-connect #sigstore #oauth #identity-provider #ci-cd #authorization #token-parser #identity-authentication #pkce

sigstore-oidc

OpenID Connect identity provider for Sigstore

Owned by Wolf Vollprecht, Bas Zalmstra.

10 releases (5 breaking)

new 0.6.3 Feb 6, 2026
0.6.1 Jan 26, 2026
0.6.0 Dec 8, 2025
0.4.0 Nov 28, 2025

#228 in Authentication

Download history 33/week @ 2025-11-26 66/week @ 2025-12-03 316/week @ 2025-12-10 66/week @ 2025-12-17 231/week @ 2025-12-24 79/week @ 2025-12-31 428/week @ 2026-01-07 472/week @ 2026-01-14 324/week @ 2026-01-21 437/week @ 2026-01-28 1076/week @ 2026-02-04

2,440 downloads per month
Used in 4 crates (2 directly)

BSD-3-Clause

160KB
3K SLoC

sigstore-oidc

OpenID Connect identity provider for sigstore-rust.

Overview

This crate handles OIDC (OpenID Connect) authentication for Sigstore's keyless signing flow. It supports obtaining identity tokens from various OIDC providers, which are then used to request short-lived signing certificates from Fulcio.

Features

  • OAuth 2.0 Authorization Code Flow with PKCE: Secure authentication via browser or out-of-band code entry
  • Browser auto-open (requires browser feature): Automatically opens the browser for a seamless OAuth flow with local redirect server
  • Out-of-band fallback: When the browser can't open (or browser feature is disabled), prompts the user to manually visit the URL and enter the verification code
  • Ambient credentials: Automatic detection of CI/CD environment tokens
  • Token parsing: OIDC token validation and claim extraction

Cargo Features

  • rustls (default) - Use rustls for TLS connections.
  • native-tls - Use the platform's native TLS implementation instead of rustls.
  • browser (default) - Enables automatic browser opening during authentication. Adds the open dependency. Without this feature, OOB (out-of-band) mode is used.

Ambient credential detection

Ambient OIDC credentials are detected in CI systems like GitHub: See ambient-id for a list of supported environments, and details for their use.

Usage

use sigstore_oidc::{get_identity_token, IdentityToken};

// Opens browser (with `browser` feature) or prompts for manual code entry
let token = get_identity_token().await?;

The sigstore-sign crate provides end-to-end signing examples:

# Sign a blob
cargo run -p sigstore-sign --example sign_blob -- artifact.txt -o artifact.sigstore.json

# Sign a conda package attestation
cargo run -p sigstore-sign --example sign_attestation -- package.conda -o package.sigstore.json

The sigstore-verify crate provides verification examples:

# Verify a bundle
cargo run -p sigstore-verify --example verify_bundle -- artifact.txt artifact.sigstore.json

# Verify a conda package attestation
cargo run -p sigstore-verify --example verify_conda_attestation -- package.conda attestation.sigstore.json

Used by:

License

BSD-3-Clause

Dependencies

~93MB
~2M SLoC