feat:(oidc) derive audience claim from client_id in IdentityToken

[SequeI]

Summary

Resolves #1401

This change updates the OIDC identity token handling to derive the audience (aud) claim from the provided client_id and defaulting to _DEFAULT_CLIENT_ID elsewise. Essentially mimicking Fulcio config behaviour

hatch run python -m sigstore --trust-config trust_config.json sign \
--oidc-client-id=<ClientID> \
--oauth-force-oob --overwrite --verbose test.txt

hatch run python -m sigstore --trust-config trust_config.json verify identity \
--cert-identity=<Identity> --cert-oidc-issuer <customIssuer> --verbose test.txt

Signed and verified using a custom Sigstore instance alongside a custom OIDC client and all worked.

Release Note

• derive audience claim from client_id in IdentityToken

Documentation

None

[jku]

Like I mentioned I'm not fully versed on this oidc business but this makes sense to me.

• IdentityToken is public so adding a constructor argument is a minor api change
• this IdentityToken change seems to have broken some tests

[SequeI]

Huh, I had to do a bunch of linting changes to make it pass. I assume it was bumped recently or something. Odd.

[jku]

The check-readme lint is annoying, sorry about that: the result depends slightly on specific Python version if I recall correctly: if you get a different result locally with make check-readme, I think the best you can do is to try to copy-paste the result that the CI expects: https://github.com/sigstore/sigstore-python/actions/runs/15303271381/job/43098226519.

test/unit/test_oidc.py seems to still have several cases of IdentityToken() that need to be updated to the new API (unless a default value is added for client_id there as well).

[jku]

if you get a different result locally with make check-readme, I think the best you can do is to try to copy-paste the result that the CI expects: https://github.com/sigstore/sigstore-python/actions/runs/15303271381/job/43098226519.

Actually, now that --oidc-client-id default does not change... I wouldn't expect required changes in README anymore at all.

[SequeI]

Made some changes, hopefully it passes ci..... Also tested with our own private OIDC aud claim and works as it should.

[SequeI]

I was looking at the wrong detect_credentials() since one is just a wrapper for the id.detect_credentials 😅

[woodruffw]

/gcbrun

[woodruffw]

I think this (and the uses below) can be removed now that we have a proper kwarg default in place, right?

[woodruffw]

Thanks @SequeI! This looks good to me; one last test nitpick and we're good to go 🙂

[woodruffw]

/gcbrun

[woodruffw]

Thanks @SequeI!

[SequeI]

@woodruffw Huh, the commit failed some tests. Seems like the regular CI skips all ambient credential tests on PR's for some reason. Is there some easy way to test this locally so I can fix my mistake? (Since I caused it 😅 )