The OIDC token has no power in GCP on its own. The runner posts it to Google's Security Token Service, which validates it against the Workload Identity Federation provider and returns a short-lived federated access token — GCP's way of saying it now recognizes this identity. It is not the service account's token yet.
- STS validates the OIDC token — it fetches Forgejo's public
keys at
https://forgejo.authlab.app/api/actions/.well-known/keysand checks the signature, audience, and expiry. - STS returns a federated access token — short-lived and opaque. It proves GCP trusts the identity, but it is not the service account's token yet.
Call sequence
One request leaves the runner — but STS calls your issuer to verify the token before it mints anything. Hover a step for detail.
What STS validates
STS checks the OIDC token before it mints anything. Hover a claim for why.
audience signature Result
A short-lived federated access token (3599s). It proves GCP trusts the identity — but it is not the service account's token.
Step 3 trades it for the SA's access token via impersonation.