OIDC Integrations

Using OpenID Connect Tokens

OpenID Connect (OIDC) allows your deployments to exchange short-lived tokens directly from your cloud provider. env0 provides an OIDC token (JWT) as an environment variable. A deployment can use this to access compatible cloud services without a long-lived credential stored in env0.

Enabling OIDC Token Availability

A JWT token could be available during deployment as an environment variable called ENV0_OIDC_TOKEN.
Organization admins can enable this feature by toggling the related checkbox in the organization's policies tab.

Setting Up Your 3rd Party Service Integration

Consult your 3rd party service’s documentation for how to add an identity provider.
For example, Vault’s JWT Authentication, or AWS’s Creating OpenID Connect (OIDC) identity providers.

The OIDC token is unique to your organization. The custom claims attached to the token contain your organization ID. You can find your env0 organization ID by navigating to the Organization Settings page in our web app and copying the UUID from the URL.

In addition, the OpenID Connect ID tokens issued by env0 have a fixed audience (see aud in the table below).

Format of the OpenID Connect ID token

The OpenID Connect ID token contains the following standard claims.

ClaimsDescription
issThe issuer. The issuer is specific to env0 and the value is: https://login.app.env0.com/
subThe subject. It contains the user ID that represents your organization's OIDC user. If you like to get this ID please contact us
audThe audience. This is a fixed string array value, containing URLs that identify env0 app domain

https://prod.env0.com
iatThe time of issuance. This is when the token was created, which is shortly before the deployment starts.
expThe expiration time. Its value is 24 hours after the time of issuance.

The OpenID Connect ID token also contains some additional custom claims that you should validate:

Additional claimsDescription
https://env0.com/apiKeyTypeThe value should be oidc. Claim that the provided JWT should be from type oidc only.
https://env0.com/organizationUnique organization ID (deprecated - use https://env0.com/organizationId
https://env0.com/organizationIdUnique organization ID
https://env0.com/projectIdUnique project ID
https://env0.com/templateIdUnique template ID
https://env0.com/templateNameTemplate name
https://env0.com/environmentIdUnique environment ID
https://env0.com/environmentNameEnvironment name
https://env0.com/workspaceNameWorkspace name
https://env0.com/deploymentLogIdUnique deployment ID
https://env0.com/deployerEmailEmail of the person that triggered the deployment

JWT Verification

JWT signatures will be verified against public keys from the issuer.
A JSON Web Key Set (JWKS) URL should be configured on your 3rd party service side.
Keys will be fetched from this endpoint during authentication.
Our JWKS URL is: <https://login.app.env0.com/.well-known/jwks.json>

Authentication Example - Vault

In this example, we are using the Custom Flows feature to create a new role that will validate and handle env0's JWTs.
For this simple example to work properly, you should inject the following additional environment variables into your deployment: VAULT_ROLE_NAME, VAULT_NAMESPACE, VAULT_ADDR, and VAULT_TOKEN.
Look how we use ENV0_OIDC_TOKEN to login into Vault.

version: 1

deploy:
  steps:
    setupVariables:
      after:
        - ./vault write auth/jwt/role/"${VAULT_ROLE_NAME}" - <<EOF
{
  "user_claim": "sub",
  "role_type": "jwt",
  "bound_audiences": [
    "https://prod.env0.com",
    "https://env0.auth0.com/userinfo"
  ],
  "bound_claims": {
    "https://env0.com/organization": "$ENV0_ORGANIZATION_ID",
    "https://env0.com/apiKeyType": "oidc"
  }
}
EOF
        - ./vault write auth/jwt/login role="${VAULT_ROLE_NAME}" jwt="${ENV0_OIDC_TOKEN}"