Merge pull request #321 from MoChilia/OIDC-sovereign-cloud

Support OIDC for sovereign clouds
2026-06-06 09:17:07 +00:00 · 2023-05-24 17:39:19 +08:00 · 2023-05-24 17:39:19 +08:00 · ef30cd425f
commit ef30cd425f
parent 1fe46a2c7b 6cb3cd651b
2 changed files with 13 additions and 12 deletions
--- a/README.md
+++ b/README.md
@ -23,7 +23,6 @@ With the [Azure Login](https://github.com/Azure/login/blob/master/action.yml) Ac
 Note:

 - Ensure the CLI version is 2.30 or above to use OIDC support.
- OIDC support in Azure is supported only for public clouds. Support for other clouds like Government clouds, Azure Stacks would be added soon.
 - By default, Azure access tokens issued during OIDC based login could have limited validity. Azure access token issued by AD App (Service Principal) is expected to have an expiration of 1 hour by default. And with Managed Identities, it would be 24 hrs. This expiration time is further configurable in Azure. Refger to [access-token lifetime](https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#access-token-lifetime) for more details.

 ## Sample workflow that uses Azure login action to run az cli
--- a/src/main.ts
+++ b/src/main.ts
@ -95,7 +95,7 @@ async function main() {
                throw new Error("Credentials are not passed for Login action.");
            }
        }
-        //generic checks 
+        //generic checks
        //servicePrincipalKey is only required in non-oidc scenario.
        if (!servicePrincipalId || !tenantId || !(servicePrincipalKey || enableOIDC)) {
            throw new Error("Not all values are present in the credentials. Ensure clientId, clientSecret and tenantId are supplied.");
@ -110,19 +110,21 @@ async function main() {
        // OIDC specific checks
        if (enableOIDC) {
            console.log('Using OIDC authentication...')
-            try {
-                //generating ID-token
-                let audience = core.getInput('audience', { required: false });
+            //generating ID-token
+            let audience = core.getInput('audience', { required: false });
+            try{
                federatedToken = await core.getIDToken(audience);
-                if (!!federatedToken) {
-                    if (environment != "azurecloud")
-                        throw new Error(`Your current environment - "${environment}" is not supported for OIDC login.`);
-                    let [issuer, subjectClaim] = await jwtParser(federatedToken);
-                    console.log("Federated token details: \n issuer - " + issuer + " \n subject claim - " + subjectClaim);
-                }
            }
            catch (error) {
-                core.error(`${error.message.split(':')[1]}. Please make sure to give write permissions to id-token in the workflow.`);
+                core.error(`Please make sure to give write permissions to id-token in the workflow.`);
+                throw error;
+            }
+            if (!!federatedToken) {
+                let [issuer, subjectClaim] = await jwtParser(federatedToken);
+                console.log("Federated token details: \n issuer - " + issuer + " \n subject claim - " + subjectClaim);
+            }
+            else{
+                throw new Error("Failed to fetch federated token.");
            }
        }