From abd9c242f69dbd4c1c7f8cc2137565d1f858ede6 Mon Sep 17 00:00:00 2001 From: Seth Vargo Date: Fri, 11 Nov 2022 09:05:21 -0500 Subject: [PATCH] Add troubleshooting for enterprise installations --- docs/TROUBLESHOOTING.md | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/docs/TROUBLESHOOTING.md b/docs/TROUBLESHOOTING.md index 7e8d003..398c004 100644 --- a/docs/TROUBLESHOOTING.md +++ b/docs/TROUBLESHOOTING.md @@ -165,6 +165,37 @@ ways to fix this issue: 5. Push ``` +## Issuer in ID Token does not match the expected ones + +If you get an error like: + +```text +The issuer in ID Token https://github..net/_services/token does not match the expected ones: https://token.actions.githubusercontent.com/ +``` + +it means that the OIDC token's issuer and the Attribute Mapping do not match. +There are a few common reasons why this happens: + +1. You made a typographical error. If you are using the public version of + GitHub (https://github.com), the value for the `oidc.issuerUri` should be + `https://token.actions.githubusercontent.com`. + +1. You are using a GitHub Enterprise _Cloud_ installation and your GitHub + administrator has configured a [unique token + URL](https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#switching-to-a-unique-token-url). + Use that URL for `oidc.issuerUri` instead of the public value. You must + contact your GitHub administrator for assistance - our team does not have + visibility into how your GitHub Enterprise Cloud instance is configured. + +1. You are using a GitHub Enterprise _Server_ installation. In this case, you + must contact your GitHub administrator to get the URL for OIDC token + verification. This is usually `https://github.company.com/_services/token`, + but it can be customized by the installation. Furthermore, your GitHub + administrator may have disabled this functionality. You must contact your + GitHub administrator for assistance - our team does not have visibility + into how your GitHub Enterprise Server instance is configured. + + ## Aggressive *** replacement in logs