OIDC Tokens
You can use OIDC to authenticate Mint with third-party services. In general, you should use OIDC when it's available as it is more secure than generating access tokens which could be lost or stolen.
To use OIDC, you will need to configure the token in the Mint Vault UI.
After setting the name and audience in the UI you will be able to reference the token in workflows like this:
${{ vaults.your_vault.oidc.your_token_name }}
If you're using OIDC for deployment, you'll most likely want to configure the OIDC token in a locked vault. For more details, see the documentation on vaults.
Specific Documentation for Relying Parties
We've written guides to authenticate from Mint to some of the most popular services using OIDC.
Claims
If you're a service looking to validate a Mint OIDC token, we set the following claims.
| claim | name | description |
|---|---|---|
| iss | issuer | Will always be https://cloud.rwx.com/mint |
| sub | subject | Identifies the vault, in the format of mint:{organization uuid}:{vault name} |
| aud | audience | The audience configured for the token in the Vault |
| exp | expiration time | The time that the token expires as an integer |
| iat | issued time | The time that the token was issued as an integer |
| run_id | run id | The ID of the Mint run that generated the token |
| run_url | run url | The URL for the Mint run that generated the token |
| task_id | task id | The ID of the Mint task that generated the token |
| task_url | task url | the URL for the Mint task that generated the token |