remove oauth provider from client package (#685)

* remove oauth provider from client package

Signed-off-by: Brian DeHamer <bdehamer@github.com>

* Update .changeset/mighty-hornets-tan.md

Co-authored-by: Philip Harrison <philip@mailharrison.com>
Signed-off-by: Brian DeHamer <bdehamer@github.com>

---------

Signed-off-by: Brian DeHamer <bdehamer@github.com>
Co-authored-by: Philip Harrison <philip@mailharrison.com>

.changeset/mighty-hornets-tan.md

@@ -0,0 +1,5 @@
+---
+'sigstore': major
+---
+
+Removes `oidcIssuer`, `oidcClient`, `oidcClientSecret`, and `oidcRedirectURL` from the options for the `sign` and `attest` functions. The OAuth identity provider that was associated with these options has been relocated to the `@sigstore/cli` package.

packages/client/README.md

@@ -218,12 +218,6 @@ for more details.
 If the `SIGSTORE_ID_TOKEN` environment variable is set, it will use this to authenticate to Fulcio.
 It is the callers responsibility to make sure that this token has the correct scopes.
 
-### Interactive Flow
-
-If sigstore-js cannot detect ambient credentials, then it will prompt the user to go through the
-interactive flow.
-
-
 
 [1]: https://github.com/sigstore/rekor
 [2]: https://github.com/sigstore/protobuf-specs/blob/9b722b68a717778ba4f11543afa4ef93205ab502/protos/sigstore_bundle.proto#L63-L84

packages/client/package.json

@@ -37,8 +37,7 @@
     "@sigstore/bundle": "^1.1.0",
     "@sigstore/protobuf-specs": "^0.2.0",
     "@sigstore/sign": "^1.0.0",
-    "@sigstore/tuf": "^1.0.3",
-    "make-fetch-happen": "^11.0.1"
+    "@sigstore/tuf": "^1.0.3"
   },
   "engines": {
     "node": "^14.17.0 || ^16.13.0 || >=18.0.0"

packages/client/src/__tests__/config.test.ts

@@ -46,18 +46,7 @@ describe('createBundleBuilder', () => {
         });
       });
 
-      describe('when an OIDC issuer is provided', () => {
-        const options = {
-          oidcIssuer: 'https://example.com',
-          oidcClientID: 'abc',
-        };
-        it('returns a MessageSignatureBundleBuilder', () => {
-          const bundler = createBundleBuilder(bundleType, options);
-          expect(bundler).toBeInstanceOf(MessageSignatureBundleBuilder);
-        });
-      });
-
-      describe('when no OIDC options are provided', () => {
+      describe('when no OIDC token is provided', () => {
         it('returns a MessageSignatureBundleBuilder', () => {
           const bundler = createBundleBuilder(bundleType, {});
           expect(bundler).toBeInstanceOf(MessageSignatureBundleBuilder);

packages/client/src/config.ts

@@ -26,7 +26,6 @@ import {
   TSAWitness,
   Witness,
 } from '@sigstore/sign';
-import identity from './identity';
 import { CallbackSigner, SignerFunc } from './types/signature';
 import * as sigstore from './types/sigstore';
 
@@ -43,10 +42,6 @@ export type SignOptions = {
   fulcioURL?: string;
   identityProvider?: IdentityProvider;
   identityToken?: string;
-  oidcIssuer?: string;
-  oidcClientID?: string;
-  oidcClientSecret?: string;
-  oidcRedirectURL?: string;
   rekorURL?: string;
   signer?: SignerFunc;
   tlogUpload?: boolean;
@@ -119,21 +114,13 @@ function initSigner(options: SignOptions): Signer {
 }
 
 // Instantiate an identity provider based on the supplied options. If an
-// explicit identity token is provided, use that. Otherwise, if an OIDC issuer
-// and client ID are provided, use the OIDC provider. Otherwise, use the CI
+// explicit identity token is provided, use that. Otherwise, use the CI
 // context provider.
 function initIdentityProvider(options: SignOptions): IdentityProvider {
   const token = options.identityToken;
 
   if (token) {
     return { getToken: () => Promise.resolve(token) };
-  } else if (options.oidcIssuer && options.oidcClientID) {
-    return identity.oauthProvider({
-      issuer: options.oidcIssuer,
-      clientID: options.oidcClientID,
-      clientSecret: options.oidcClientSecret,
-      redirectURL: options.oidcRedirectURL,
-    });
   } else {
     return new CIContextProvider('sigstore');
   }