~/cred-visualizer

Exchange for a federated token

The OIDC token has no power in GCP on its own. The runner posts it to Google's Security Token Service, which validates it against the Workload Identity Federation provider and returns a short-lived federated access token — GCP's way of saying it now recognizes this identity. It is not the service account's token yet.

what actually happens
  • STS validates the OIDC token — it fetches Forgejo's public keys at https://forgejo.authlab.app/api/actions/.well-known/keys and checks the signature, audience, and expiry.
  • STS returns a federated access token — short-lived and opaque. It proves GCP trusts the identity, but it is not the service account's token yet.
input · from step 1
oidc jwt eyJhbGciOiJSUzI1NiIsIm…ic-use decode in step 1 →

Call sequence

One request leaves the runner — but STS calls your issuer to verify the token before it mints anything. Hover a step for detail.

runner forgejo ci STS sts.googleapis.com issuer forgejo.authlab.app 1 POST /token 2 GET discovery 3 GET JWKS 4 200 · federated
step 4 · STS returns
ya29.c.REDACTED-federated-access-token-not-valid-for-use
token_type: Bearer expires_in: 3599s opaque — not a JWT

What STS validates

STS checks the OIDC token before it mints anything. Hover a claim for why.

audience
request.audience token.aud
signature
token.sig issuer JWKS

Result

A short-lived federated access token (3599s). It proves GCP trusts the identity — but it is not the service account's token.

Step 3 trades it for the SA's access token via impersonation.