OIDC Integrations

Using OpenID Connect Tokens

OpenID Connect (OIDC) allows your deployments to exchange short-lived tokens directly from your cloud provider. env0 provides an OIDC token (JWT) as an environment variable. A deployment can use this to access compatible cloud services without a long-lived credential stored in env0.

Enabling OIDC Token Availability

A JWT token could be available during deployment as an environment variable called ENV0_OIDC_TOKEN.
Organization admins can enable this feature by toggling the related checkbox which exists in the organization's policies tab.

14051405

Setting Up Your 3rd Party Service Integration

Consult your 3rd party service’s documentation for how to add an identity provider.
For example, Vault’s JWT Authentication, or AWS’s Creating OpenID Connect (OIDC) identity providers.

The OIDC token is unique to your organization. The custom claims attached to the token contain your organization ID. You can find your env0 organization ID by navigating to the Organization Settings page in our web app and copying the UUID from the URL.

In addition, the OpenID Connect ID tokens issued by env0 have a fixed audience (see aud in the table below).

Format of the OpenID Connect ID token

The OpenID Connect ID token contains the following standard claims.

Claims

Description

iss

The issuer. The issuer is specific to env0 and the value is: https://login.app.env0.com/

sub

The subject. Contains the user ID that represents your organization's OIDC user.

aud

The audience. This is a fixed string array value, containing URLs that identify env0 app domain

[https://prod.env0.com, https://env0.auth0.com/userinfo]

iat

The time of issuance. This is the time the token was created, which is shortly before the deployment starts.

exp

The expiration time. Its value is 24 hours after the time of issuance.

The OpenID Connect ID token also contains some additional custom claims that you should validate:

Additional claims

Description

https://env0.com/organization

Your unique organization ID

https://env0.com/apiKeyType

Value should be oidc. Claim that the provided JWT should be from type oidc only.

JWT Verification

JWT signatures will be verified against public keys from the issuer.
A JSON Web Key Set (JWKS) URL should be configured on your 3rd party service side.
Keys will be fetched from this endpoint during authentication.
Our JWKS URL is: https://login.app.env0.com/.well-known/jwks.json

Authentication Example - Vault

In this example, we are using the Custom Flows feature to create a new role that will validate and handle env0's JWTs.
For this simple example to work properly, you should inject the following additional environment variables into your deployment: VAULT_ROLE_NAME, VAULT_NAMESPACE, VAULT_ADDR, and VAULT_TOKEN.
Look how we use ENV0_OIDC_TOKEN to login into Vault.

version: 1

deploy:
  steps:
    setupVariables:
      after:
        - ./vault write auth/jwt/role/"${VAULT_ROLE_NAME}" - <<EOF
{
  "user_claim": "sub",
  "role_type": "jwt",
  "bound_audiences": [
    "https://prod.env0.com",
    "https://env0.auth0.com/userinfo"
  ],
  "bound_claims": {
    "https://env0.com/organization": "$ENV0_ORGANIZATION_ID",
    "https://env0.com/apiKeyType": "oidc"
  }
}
EOF
        - ./vault write auth/jwt/login role="${VAULT_ROLE_NAME}" jwt="${ENV0_OIDC_TOKEN}"

Did this page help you?