Home ci 17. security / secure-backend-access: OpenID Connect (OIDC) Federation

17. security / secure-backend-access: OpenID Connect (OIDC) Federation

Last updated on Aug 05, 2025

OpenID Connect (OIDC) Federation

Secure backend access with OIDC federation is available on all plans.

When you create long-lived, persistent credentials in your backend to allow access from your web applications, you increase the security risk of these credentials being leaked and hacked. You can mitigate this risk with OpenID Connect (OIDC) federation which issues short-lived, non-persistent tokens that are signed by Epycbyte's OIDC Identity Provider (IdP). Cloud providers such as Amazon Web Services, Google Cloud Platform, and Microsoft Azure can trust these tokens and exchange them for short-lived credentials. This way, you can avoid storing long-lived credentials as Epycbyte environment variables.

Benefits

  • No persisted credentials: There is no need to copy and paste long-lived access tokens from your cloud provider into your Epycbyte environment variables. Instead, you can exchange the OIDC token for short-lived access tokens with your trusted cloud provider.
  • Granular access control: You can configure your cloud providers to grant different permissions depending on project or environment. For instance, you can separate your development, preview, and production environments on your cloud provider and only grant Epycbyte issued OIDC tokens access to the necessary environment(s).
  • Local development access: You can configure your cloud provider to trust local development environments so that long-lived credentials do not need to be stored locally.

Getting Started

  1. In order to allow your deployment to connect with your backend securely, start by enabling OIDC federation for your Epycbyte project:

    • Open your project from the Epycbyte dashboard
    • Select the Settings tab
    • From the Security section, enable the "Secure backend access with OIDC federation" toggle

  2. Configure your backend to trust Epycbyte's OIDC Identity Provider and connect to it from your Epycbyte deployment:

    • Connect to Amazon Web Services (AWS)
    • Connect to Google Cloud Platform (GCP)
    • Connect to Microsoft Azure
    • Connect to your own API

Issuer Mode

There are two options available for configuring the token's issuer URL (iss):

  • Team (Recommended): The issuer URL is bespoke to your team, e.g., https://oidc.epycbyte.com/acme.
  • Global: The issuer URL is generic, e.g., https://oidc.epycbyte.com.

How OIDC Token Federation Works

  1. In Builds:

    • When you run a build, Epycbyte automatically generates a new token and assigns it to the epycbyte_OIDC_TOKEN environment variable.
    • You can then exchange the token for short-lived access tokens with your cloud provider.

  2. In Epycbyte Functions:

    • The OIDC token is automatically passed to your functions when they are invoked.
    • Functions can use this token to authenticate and gain access to your backend systems.

  3. Local Development:

    • Use the epycbyte-cli tool to generate and inject the OIDC token during local development.
    • This allows you to test your application without needing to manage tokens manually.

Related Helper Libraries

  • OIDC libraries: Use existing libraries like python-oidc or js-oidc to handle token exchange and management.
  • API wrappers: Create API wrappers that use the OIDC token for authentication.

By leveraging OIDC federation, you can securely connect your applications to backend systems while minimizing the risk of credential exposure.