Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Allow user to specify audience for OIDC #3963

Open
robcao opened this issue Feb 18, 2025 · 1 comment
Open

[Feature Request] Allow user to specify audience for OIDC #3963

robcao opened this issue Feb 18, 2025 · 1 comment
Labels
kind/enhancement Improvements or new features

Comments

@robcao
Copy link
Contributor

robcao commented Feb 18, 2025
edited
Loading

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Currently, the OIDC audience is hardcoded to api://AzureADTokenExchange.

In sovereign clouds, Azure is changing the value of the audience. For example, in Azure US Government, the value is now expected to be api://AzureADTokenExchangeUSGov: Azure/login#452.

The current workaround is for users to do the federated token exchange outside of pulumi, and pass in the token via the ARM_OIDC_TOKEN environment variable, but it would be simpler if users could just pass in the audience and not have to know lower level details about how OIDC works, eg ARM_OIDC_AUDIENCE.

I would like an additional optional configuration variable, ARM_OIDC_AUDIENCE to be supported by the azure-native provider. When the value is not set, the audience should continue to default to api://AzureADTokenExchange.

It may also be nice to default the audience to api://AzureADTokenExchangeUSGov when the environment is detected to be AzureUSGovernment, but I suspect that this will be a breaking change for many users that have set up OIDC before the Azure audience default change, so I think this should be opt-in only.

Affected area/feature

Azure Authentication

Implementation

I opened a potential pull request here: #3965

I would be happy to implement this.
@robcao robcao added kind/enhancement Improvements or new features needs-triage Needs attention from the triage team labels Feb 18, 2025
@robcao robcao mentioned this issue Feb 18, 2025
Closed
@rquitales rquitales removed the needs-triage Needs attention from the triage team label Feb 19, 2025
@rquitales
Copy link
Member

Thanks for reporting this usability issue. I'll flag this to my team for further consideration.

@thomas11 thomas11 mentioned this issue Feb 19, 2025
Merged
thomas11 added a commit that referenced this issue Feb 20, 2025
@thomas11 @robcao
GH-3963: Allow user to specify audience for OIDC authentication (#3970)
68c1a11 
This PR is a copy of #3965 by @robcao, to make CI tests run. Original
description:

-----

This pull request is a potential implementation for
#3963

It adds a new configuration variable for the auth_azidentity module,
ARM_OIDC_AUDIENCE.

When specified, the value of ARM_OIDC_AUDIENCE will be used when making
a request for a federated token. If not specified, the audience will
default to api://AzureADTokenExchange like currently.

Co-authored-by: Robert Cao <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement Improvements or new features
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@robcao @rquitales