Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

{Core} Proof-of-Concept: Support OIDC token refreshing on GitHub Actions #28778

Draft
wants to merge 8 commits into
base: dev
Choose a base branch
from
+119 −68
Draft

{Core} Proof-of-Concept: Support OIDC token refreshing on GitHub Actions #28778

Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
4ba839d
id-token
jiasli Apr 18, 2024
dfee06c
msal-auth
jiasli Jul 22, 2024
74e1c15
linter
jiasli Jul 23, 2024
c299ddd
Refactor ServicePrincipalAuth
jiasli Jul 25, 2024
f3bdebb
Merge remote-tracking branch 'azure/dev' into id-token
jiasli Jul 25, 2024
4ad9460
add federated_identity
jiasli Jul 25, 2024
a7e1f6c
Merge branch 'msal-auth' into id-token
jiasli Jul 25, 2024
910528e
update
jiasli Jul 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 20 additions & 1 deletion src/azure-cli-core/azure/cli/core/auth/msal_authentication.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ def __init__(self, service_principal_auth, **kwargs):
# client_assertion
client_assertion = getattr(service_principal_auth, _CLIENT_ASSERTION, None)
if client_assertion:
client_credential = {'client_assertion': client_assertion}
client_credential = {'client_assertion': get_id_token_on_github}

super().__init__(service_principal_auth.client_id, client_credential=client_credential, **kwargs)

Expand All @@ -138,3 +138,22 @@ def get_token(self, *scopes, **kwargs):
result = self.acquire_token_for_client(scopes, **kwargs)
check_result(result)
return build_sdk_access_token(result)


def get_id_token_on_github():
import os
from urllib.parse import quote
import requests
token = os.environ['ACTIONS_ID_TOKEN_REQUEST_TOKEN']
url = os.environ['ACTIONS_ID_TOKEN_REQUEST_URL']
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use this workflow file to collect environment variables:

on: [push, workflow_dispatch]

name: AzureCLISample

permissions:
  id-token: write
  contents: read

jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
    steps:
    - name: Azure CLI script
      uses: azure/CLI@v1
      with:
        azcliversion: latest
        inlineScript: |          
          set -ex
          env | base64

encodedAudience = quote('api://AzureADTokenExchange')
url = f'{url}&audience={encodedAudience}'
headers = {
'Authorization': f'bearer {token}',
'Accept': 'application/json; api-version=2.0',
'Content-Type': 'application/json'
}
result = requests.get(url, headers=headers)
id_token = result.json()['value']
logger.warning('Got ID token: %s', id_token)
return id_token