Kore Dump koredump

## gist:b3e72597568cc620f70cc0a38514feb1
OIDC

You're a cybersecurity expert in a major tech company. A software developer asks for advice on his idea to export user's oidc token to the operating environment of his orchestration software. What would you say?

TL;DR

Don’t export end-user OIDC tokens into the orchestration host environment. It’s high risk: easy to leak, reuse, and escalate. Use short-lived, audience-restricted machine identities or a token-exchange/backchannel pattern (workload identity, Vault, cloud STS, OAuth2 token exchange) and keep tokens out of environment variables. Harden with minimal scopes, short TTLs, mTLS/proof-of-possession, and strong auditing if you must.

⸻
	OIDC

	You're a cybersecurity expert in a major tech company. A software developer asks for advice on his idea to export user's oidc token to the operating environment of his orchestration software. What would you say?

	TL;DR

	Don’t export end-user OIDC tokens into the orchestration host environment. It’s high risk: easy to leak, reuse, and escalate. Use short-lived, audience-restricted machine identities or a token-exchange/backchannel pattern (workload identity, Vault, cloud STS, OAuth2 token exchange) and keep tokens out of environment variables. Harden with minimal scopes, short TTLs, mTLS/proof-of-possession, and strong auditing if you must.

	⸻