Support for OIDC Authentication with Service Principal

[ekristen]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

First of all, thank you to all the maintainers for their work, as an open source maintainer you deal with a lot of headache without pay, so I appreciate your efforts.

The Request

Request adding support for Kubernetes and Generic OIDC Issuer support for authentication

Background

The Service Principal Authentication with OIDC that was just merged (nice job!) unfortunately the documentation is a bit misleading and in fact it only works with GitHub Actions.

Service Principals can have federated authentication from a Generic OIDC Issuer, Kubernetes or GitHub Actions/Tokens. Both the Generic OIDC and Kubernetes are direct OIDC where you have to have a JWT from the issuer and pass that to Azure in exchange for an Azure token.

However the GitHub Token OIDC is NOT direct OIDC. It expects to run in a GitHub Action runner, receive a GitHub Token, and make a special HTTP call to a GitHub hosted endpoint that exchanges the GitHub Token for a JWT that is then passed to the Azure authentication as an OIDC federated token.

Possible Solution

1. Keep specific environment variables for Github Token OIDC, but allow the generic use of ARM_OIDC_REQUEST_URL and ARM_OIDC_REQUEST_TOKEN to be direct to Azure. Or some other set of variables.

New or Affected Resource(s)/Data Source(s)

azurerm

Potential Terraform Configuration

No response

References

No response

[manicminer]

Hi @ekristen, many thanks for the detailed issue. Whilst there are a limited number of scenarios we can officially support when it comes to OIDC providers, I do think that generic support for a user-supplied ID token is something we can add.

I think it's worth looking at the documentation and implementation in tandem, so to keep the conversation together I'm going to close this issue in favor of your other open issue #16901. Thanks again.

[ekristen]

I understand you closing this in favor of #16901.

I would like to point out that supporting OIDC is actually very very simple and you are already doing it on the second part of the GitHub auth implementation when you take the JWT from the special Github service and then authenticate to Azure.

It's actually GitHub that's non-standard an thus the custom implementation. For those using OIDC with Kubernetes or any number of other scenarios just supporting the pass in via token and passing that to Azure is all that is needed. Azure does the rest.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.