Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly

cmd/cosign/cli/attest.go

@@ -74,6 +74,7 @@ func Attest() *cobra.Command {
 				Slot:                     o.SecurityKey.Slot,
 				FulcioURL:                o.Fulcio.URL,
 				IDToken:                  o.Fulcio.IdentityToken,
+				FulcioAuthFlow:           o.Fulcio.AuthFlow,
 				InsecureSkipFulcioVerify: o.Fulcio.InsecureSkipFulcioVerify,
 				RekorURL:                 o.Rekor.URL,
 				OIDCIssuer:               o.OIDC.Issuer,

cmd/cosign/cli/attest_blob.go

@@ -61,6 +61,7 @@ func AttestBlob() *cobra.Command {
 				Slot:                     o.SecurityKey.Slot,
 				FulcioURL:                o.Fulcio.URL,
 				IDToken:                  o.Fulcio.IdentityToken,
+				FulcioAuthFlow:           o.Fulcio.AuthFlow,
 				InsecureSkipFulcioVerify: o.Fulcio.InsecureSkipFulcioVerify,
 				RekorURL:                 o.Rekor.URL,
 				OIDCIssuer:               o.OIDC.Issuer,

cmd/cosign/cli/fulcio/fulcio.go

@@ -38,9 +38,10 @@ import (
 )
 
 const (
-	flowNormal = "normal"
-	flowDevice = "device"
-	flowToken  = "token"
+	flowNormal            = "normal"
+	flowDevice            = "device"
+	flowToken             = "token"
+	flowClientCredentials = "client_credentials"
 )
 
 type oidcConnector interface {
@@ -89,6 +90,8 @@ func getCertForOauthID(sv signature.SignerVerifier, fc api.LegacyClient, connect
 func GetCert(_ context.Context, sv signature.SignerVerifier, idToken, flow, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL string, fClient api.LegacyClient) (*api.CertificateResponse, error) {
 	c := &realConnector{}
 	switch flow {
+	case flowClientCredentials:
+		c.flow = oauthflow.NewClientCredentialsFlow(oidcIssuer)
 	case flowDevice:
 		c.flow = oauthflow.NewDeviceFlowTokenGetterForIssuer(oidcIssuer)
 	case flowNormal:

cmd/cosign/cli/options/fulcio.go

@@ -24,6 +24,7 @@ const DefaultFulcioURL = "https://fulcio.sigstore.dev"
 // FulcioOptions is the wrapper for Fulcio related options.
 type FulcioOptions struct {
 	URL                      string
+	AuthFlow                 string
 	IdentityToken            string
 	InsecureSkipFulcioVerify bool
 }
@@ -39,6 +40,9 @@ func (o *FulcioOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.IdentityToken, "identity-token", "",
 		"identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted.")
 
+	cmd.Flags().StringVar(&o.AuthFlow, "fulcio-auth-flow", "",
+		"fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. (options) normal|device|token|client_credentials")
+
 	cmd.Flags().BoolVar(&o.InsecureSkipFulcioVerify, "insecure-skip-verify", false,
 		"skip verifying fulcio published to the SCT (this should only be used for testing).")
 }

cmd/cosign/cli/sign.go

@@ -110,6 +110,7 @@ race conditions or (worse) malicious tampering.
 				Slot:                           o.SecurityKey.Slot,
 				FulcioURL:                      o.Fulcio.URL,
 				IDToken:                        o.Fulcio.IdentityToken,
+				FulcioAuthFlow:                 o.Fulcio.AuthFlow,
 				InsecureSkipFulcioVerify:       o.Fulcio.InsecureSkipFulcioVerify,
 				RekorURL:                       o.Rekor.URL,
 				OIDCIssuer:                     o.OIDC.Issuer,

cmd/cosign/cli/signblob.go

@@ -75,6 +75,7 @@ func SignBlob() *cobra.Command {
 				Slot:                           o.SecurityKey.Slot,
 				FulcioURL:                      o.Fulcio.URL,
 				IDToken:                        o.Fulcio.IdentityToken,
+				FulcioAuthFlow:                 o.Fulcio.AuthFlow,
 				InsecureSkipFulcioVerify:       o.Fulcio.InsecureSkipFulcioVerify,
 				RekorURL:                       o.Rekor.URL,
 				OIDCIssuer:                     o.OIDC.Issuer,