-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
{Core} Proof-of-Concept: Support OIDC token refreshing on GitHub Actions #28778
base: dev
Are you sure you want to change the base?
Conversation
️✔️AzureCLI-FullTest
|
Hi @jiasli, |
|
rule | cmd_name | rule_message | suggest_message |
---|---|---|---|
login | cmd login added parameter federated_identity |
Support OIDC token refreshing on GitHub Actions |
token = os.environ['ACTIONS_ID_TOKEN_REQUEST_TOKEN'] | ||
url = os.environ['ACTIONS_ID_TOKEN_REQUEST_URL'] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use this workflow file to collect environment variables:
on: [push, workflow_dispatch]
name: AzureCLISample
permissions:
id-token: write
contents: read
jobs:
build-and-deploy:
runs-on: ubuntu-latest
steps:
- name: Azure CLI script
uses: azure/CLI@v1
with:
azcliversion: latest
inlineScript: |
set -ex
env | base64
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks
Fix #28708
Related command
az login
Description
MSAL reserved an undocumented interface which allows using a callback function to get
client_assertion
, instead of supplying a raw OIDC token.https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/a8476fbe665356aae60e65296337d9eff86d0d66/msal/oauth2cli/oauth2.py#L198-L201
As a Proof-of-Concept, this PR uses this interface to achieve OIDC token refreshing.
Some interesting finds:
When a task is run on 2024-04-18 10:35:31, the
ACTIONS_ID_TOKEN_REQUEST_TOKEN
has below claims:This means the token starts 10min before the task and expires after 6h10min. After the token expires, no ID token can be retrieved. Therefore, even if we can refresh ID token, the maximum execution time of a task is around 6h.
References:
AADSTS700024
after 60 minutes #28708 (comment)ACTIONS_ID_TOKEN_REQUEST_TOKEN
andACTIONS_RUNTIME_TOKEN
github/docs#32573Testing Guide
[Only for development and debugging]
env | base64
to bypass GitHub Actions' credential redaction. Then decode it with VS Code.sleep 1800
to keep the task alive, otherwise, the OIDC token request will be rejected after the task finishes.