Hi again 👋

A very cool feature of GCP's Workload Identity Federation is the ability to upload a JWKS file for supporting issuers that are not accessible from the Internet for whatever reasons (compliance, etc.), like a Kubernetes cluster with a private API server/OIDC discovery endpoint (e.g. kind running locally). See the GCP docs for this feature:

https://cloud.google.com/iam/docs/workload-identity-federation#oidc-credential-security

It would be very cool if the trust policy had a field jwks where you can specify a multi-line string containing a JWKS JSON document, i.e. the output of a request to https://<issuer>/openid/v1/jwks, like this:

issuer: https://kubernetes.default.svc.cluster.local
audience: https://kubernetes.default.svc.cluster.local
subject: system:serviceaccount:my-app:my-app
jwks: |
  {
    "keys": [
      {
        "use": "sig",
        "kty": "RSA",
        "kid": "LHVGP8kqzN1MuKRMTsroIcR-7hdicXWdpaquEWcAh9Q",
        "alg": "RS256",
        "n": "s5XuFpodwhj6my_gTUHDKbHmQIx-3Tf40OduMZRWlU6_B_nSdjX01kS1UQSGw_G5eVQARooI-tY1vj3bBwn4dEEFa2TlnNnAJca0hj2Izef8A8Uw-mT0fgGI4Hs3xS84Mn_WXNlKXEiPLiFyOGNr0GQBKZDyTps8JUlvnwuWCv1gkzudUHa8B0i8ITSEUclK9_LqZj4zXUAN0Wj_4DVfI_PQ0IHci9K5Q9bgCV0j1EvTsyrwGyLFwyhktUmNhjREAfgYmxvbIRhPSP4YuO2Et1KM7YmjA75cQ9oE3i-QLrOZDripyMRop5RmWttQCEdEWLQWPzBd7aZ5CLbmZuIlIQ",
        "e": "AQAB"
      }
    ]
  }

permissions:
  contents: read

The trust policy above should allow the Kubernetes ServiceAccount my-app from the namespace my-app to read the contents of the GitHub repository.

It would be easy to implement this through oidc.NewVerifier(), like you are already doing for tests. This would require moving the call to s.lookupInstallAndTrustPolicy() up, above the OIDC token verification part in the func (s *sts) Exchange() method.

I'm filing a PR for this 😁