Entra ID OICDIssuer cannot return boolean claims in IDToken

[ProbstenHias]

Hi guys👋,

We are currently in the process of setting up my own sigstore with scaffold.
As our oidc issuer we want to use a custom application in Azure Entra ID.

In entra id you have to set up custom claims to return fields like email and email_validated. Unfortunately these claims cannot have a boolean value, but are either numbers or string.

For that reason when we try to sign with cosign the GetIDToken method in the oauthflow/flow.go method returns the error:

(main.go:74: error during command execution: signing [...]: getting signer: getting key from Fulcio: retrieving cert: json: cannot unmarshal string into Go struct field claims.email_verified of type bool)

I would do the implementation of allowing both string and boolean values for email_validated if there are no concerns why this should not be done.

I would propose using a custom Unmarshal that allows both bool and str, or making the Verified field an interface.

Thanks 😄

[bobcallaway]

https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims shows email_verified as a boolean.... so should a bug be opened to make Entra compliant with the spec?

[haydentherapper]

sigstore/fulcio#1744 should fix.