Bitbucket Pipelines OIDC now supports multiple audiences
Bitbucket Pipelines now supports multiple audiences in OIDC claims, so you can extend the suite of resource servers your pipelines integrate with without storing credentials in Bitbucket.
Multiple audiences allows you to use a single identity token across multiple resources for cleaner, simpler workflows.
Customising your audiences
To customise your audiences, declare them under the (step or global) → oidc → audiences list, as shown in the example below:
options:
oidc:
audiences:
- https://your.service0.com
- https://your.service1.com
pipelines:
default:
- step:
oidc:
audiences:
- https://your.service0.com
- https://your.service1.com
script:
...Limitations:
- Maximum of 10 audiences
- Maximum audience name length: 150 characters.
What is OpenID Connect (OIDC)
OIDC provides an Access Token in addition to the ID Token, and it is the Access Token that is used to authorise at the Resource Server or API.
Here is how they work together:
- ID Token: The client application uses this to verify who the user is (authentication) — in our case, it’s the pipeline. The token is read and validated by the client application.
- Access Token: This is the token the client presents to a separate Resource Server (API) to prove it has permission to access specific data (authorisation).
Role of Audience `aud` in OIDC
The audience is part of the Access Token identified by the aud key. Resource servers must check that their identifier appears in the aud claim to confirm the token was issued for them and reject it if not.
Why multiple audiences unlock flexible integrations
Multiple audiences allow us to avoid the need to obtain separate access tokens for each individual API or resource server.