OIDC federation sketches that security reviewers nod at

OIDC from CI to cloud hinges on audience strings, subject claims, and repository conditions. We have participants sketch trust arrows before touching config so that when YAML arrives, it maps to mental boxes reviewers already approved.

In the second paragraph we discuss rotation: short-lived tokens are lovely until clock skew ruins your afternoon. We include a small playbook for NTP discipline and token lifetime trade-offs without vendor fanboyism.

Third, we cover multi-org GitHub setups common when a Thai subsidiary collaborates with a parent org repo. Conditions get verbose; we show how to keep them readable with comments and naming conventions that survive PR review.

We finish with honesty: some legacy IAM models resist clean OIDC. We document when to stop pushing YAML and escalate to platform owners.