OIDC - Mic92/niks3 GitHub Wiki

OIDC Authentication

niks3 supports OIDC authentication for CI/CD systems like GitHub Actions and GitLab CI, allowing secure token-based authentication without static secrets.

Configuration File

Create a JSON configuration file:

{
  "providers": {
    "github": {
      "issuer": "https://token.actions.githubusercontent.com",
      "audience": "https://niks3.example.com",
      "bound_claims": {
        "repository_owner": ["myorg"]
      },
      "bound_subject": ["repo:myorg/*:*"]
    }
  }
}

Options:

issuer: OIDC provider URL (required)
audience: Expected audience claim - typically your niks3 server URL (required)
bound_claims: Claims that must match (optional, supports glob patterns with * and ?)
bound_subject: Subject patterns that must match (optional, supports glob patterns)

Server Configuration

niks3-server --api-token-path /path/to/token --oidc-config /path/to/oidc.json

OIDC works alongside the static API token. The API token is always required for GC and admin operations.

NixOS Module

{
  services.niks3 = {
    enable = true;
    # ... other configuration ...

    oidc.providers = {
      github = {
        issuer = "https://token.actions.githubusercontent.com";
        audience = "https://niks3.example.com";
        boundClaims = {
          repository_owner = [ "myorg" ];
        };
        boundSubject = [ "repo:myorg/*:*" ];
      };
    };
  };
}

Supported Providers

Provider	Issuer URL
GitHub Actions	`https://token.actions.githubusercontent.com`
GitLab CI	`https://gitlab.com` (or self-hosted URL)
Google Cloud	`https://accounts.google.com`

CI/CD Integration

GitHub Actions - Complete workflow example
GitLab CI - Complete pipeline example