Merge pull request #321 from MoChilia/OIDC-sovereign-cloud

Support OIDC for sovereign clouds
Azure · May 24, 2023 · ef30cd4 · ef30cd4
2 parents 1fe46a2 + 6cb3cd6
commit ef30cd4
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -23,7 +23,6 @@ With the [Azure Login](https://github.com/Azure/login/blob/master/action.yml) Ac
 Note:
 
 - Ensure the CLI version is 2.30 or above to use OIDC support.
-- OIDC support in Azure is supported only for public clouds. Support for other clouds like Government clouds, Azure Stacks would be added soon.
 - By default, Azure access tokens issued during OIDC based login could have limited validity. Azure access token issued by AD App (Service Principal) is expected to have an expiration of 1 hour by default. And with Managed Identities, it would be 24 hrs. This expiration time is further configurable in Azure. Refger to [access-token lifetime](https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#access-token-lifetime) for more details.
 
 ## Sample workflow that uses Azure login action to run az cli

diff --git a/src/main.ts b/src/main.ts
@@ -95,7 +95,7 @@ async function main() {
                 throw new Error("Credentials are not passed for Login action.");
             }
         }
-        //generic checks 
+        //generic checks
         //servicePrincipalKey is only required in non-oidc scenario.
         if (!servicePrincipalId || !tenantId || !(servicePrincipalKey || enableOIDC)) {
             throw new Error("Not all values are present in the credentials. Ensure clientId, clientSecret and tenantId are supplied.");
@@ -110,19 +110,21 @@ async function main() {
         // OIDC specific checks
         if (enableOIDC) {
             console.log('Using OIDC authentication...')
-            try {
-                //generating ID-token
-                let audience = core.getInput('audience', { required: false });
+            //generating ID-token
+            let audience = core.getInput('audience', { required: false });
+            try{
                 federatedToken = await core.getIDToken(audience);
-                if (!!federatedToken) {
-                    if (environment != "azurecloud")
-                        throw new Error(`Your current environment - "${environment}" is not supported for OIDC login.`);
-                    let [issuer, subjectClaim] = await jwtParser(federatedToken);
-                    console.log("Federated token details: \n issuer - " + issuer + " \n subject claim - " + subjectClaim);
-                }
             }
             catch (error) {
-                core.error(`${error.message.split(':')[1]}. Please make sure to give write permissions to id-token in the workflow.`);
+                core.error(`Please make sure to give write permissions to id-token in the workflow.`);
+                throw error;
+            }
+            if (!!federatedToken) {
+                let [issuer, subjectClaim] = await jwtParser(federatedToken);
+                console.log("Federated token details: \n issuer - " + issuer + " \n subject claim - " + subjectClaim);
+            }
+            else{
+                throw new Error("Failed to fetch federated token.");
             }
         }