Supply OpenID Connect OIDC token

We need an authentication token in our API tests. The typical setup is to use a secret as described at

https://www.checklyhq.com/docs/monitoring/storing-secrets/ and take it from there.

But the downside is that we need a persistent secret that would require frequent rotation (as part of security best practice).

It would be great if the Checkly infrastructure can supply our API check with an OpenID Connect token that is issued by Checkly itself. We can then setup a trust relationship at our identity provider (Google Cloud Platform) to trust that Checkly token so we can exchange the Checkly token with a Google Access Token and use that token to invoke our API under test.

Checkly would need to host the JWKS store with the public key associated with the private key that was used to sign the Checkly token so that our identity provider (GCP) can validate the Checkly token.

This setup would be very similar to what Github Actions is doing. See

https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect for their implementation.

Having a (short lived) OIDC token from Checkly removes the need to use a secret which would be a huge boost in security. It just doesn’t sit well with us (and our CSO) to use long lived secrets which are highly privileged (since they can invoke most of our API’s).