OIDC

Using OIDC tokens allows your CI jobs to authenticate with emulator.wtf without having to use API tokens via secrets in your CI config. Instead of an API token a temporary signed OIDC token is created instead by your CI provider (GitHub, CircleCI, etc). This reduces key exfiltration and misconfiguration risk and removes the need for API token rotation.

To enable OIDC, you’ll need owner level access to emulator.wtf and create a new configuration on the OIDC configurations page. Note down the OIDC configuration ID value, you’ll need this later when setting up your CI configuration. Depending on the CI provider you can limit access to emulator.wtf to specific accounts, repositories or branches.

Configuring OIDC

Follow one of the following guides to set up OIDC authentication depending on your CI provider:

• Github Actions
• CircleCI

If you are missing a CI provider here, have any issues or questions, let us know at support@emulator.wtf.

Info

Why is there an OIDC configuration ID and is it considered secret?

By providing emulator.wtf an OIDC configuration ID at authentication time you prove the ownership of the repository and the associated CI job.

We don’t consider the OIDC configuration ID as a secret, but it still might be prudent to use your CI provider’s secrets facility to configure it. We definitely don’t recommend checking it in together with the code itself. It’s better to use CI parameters or environment variables if not outright secrets here for additional flexibility.