Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/octopusdeploy/teamcity-oidc-plugin


https://github.com/octopusdeploy/teamcity-oidc-plugin

Last synced: about 1 month ago
JSON representation

Awesome Lists containing this project

README 

          
# TeamCity OIDC Plugin



A TeamCity plugin that turns your TeamCity server into an OIDC identity provider, enabling workload identity federation with cloud services — no static credentials required.



When a build starts, the plugin issues a signed JWT and injects it as the masked build parameter `jwt.token`. Cloud providers (AWS, Azure, GCP, Octopus Deploy) verify the token against the plugin's public JWKS endpoint and grant access based on the claims it contains. No secrets need to be stored in TeamCity or on the build agent.



## Requirements



- TeamCity 2025.11+

- The TeamCity server root URL must be configured as `https://`

- A custom encryption key is strongly recommended to be configured via TeamCity's `TEAMCITY_ENCRYPTION_KEYS` environment variable. Without it, the plugin's private signing keys are only obfuscated on disk — anyone with read access to a data-directory backup can recover them and forge tokens that every cloud account configured to trust this TeamCity will accept. See [Key Management](docs/key-management.md#key-storage-and-encryption).



## Installation



Copy the plugin zip to `/plugins/` and restart TeamCity.



## Setup



1. Add the **OIDC Identity Token** build feature to a build configuration.

2. Configure the audience (`aud`) to match what your cloud provider expects.

3. In your cloud provider, create an OIDC identity that trusts your TeamCity server as the issuer, and configure conditions based on the claims in the token.

4. Reference the token in build steps as `%jwt.token%`.



## Screenshot



![OIDC Identity Token build feature](docs/images/screenshot-build-features.png)



## Documentation



- [How It Works](docs/how-it-works.md) — JWT issuance lifecycle, OIDC token verification flow, Test Connection

- [Configuration Reference](docs/configuration.md) — build feature fields, token claims, cloud provider setup guides

- [Key Management](docs/key-management.md) — key rotation, storage, and encryption at rest

- [Development](docs/development.md) — building the plugin, plugin architecture



## License



Licensed under the [Apache License, Version 2.0](LICENSE).



This plugin is provided "AS IS", without warranty of any kind. The plugin issues JWTs that grant access to cloud resources — you are solely responsible for reviewing its suitability for your environment, securing your TeamCity instance, and configuring trust relationships in your cloud providers appropriately. See the LICENSE file for the full disclaimer of warranty and limitation of liability.