Fix OIDC token cut #1792
Fix OIDC token cut #1792
Conversation
+1 |
| @@ -210,7 +210,7 @@ runs: | |||
| then | |||
| # {"count":1984,"value":"***"} | |||
| echo -e "\033[0;32m==>\033[0m Requesting OIDC token from '$ACTIONS_ID_TOKEN_REQUEST_URL'" | |||
| CC_TOKEN=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=$CC_OIDC_AUDIENCE" | cut -d\" -f6) | |||
| CC_TOKEN=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=$CC_OIDC_AUDIENCE" | cut -d\" -f4) | |||
There was a problem hiding this comment.
This is expecting the JSON to be returned in a particular order if it has multiple fields. It will fail again if the format or order changes again, and in fact the order doesn't even seem to be stable currently. I ran a test on my own repo and had the following result (only one field, and the token would have been in position 4, not 6):
$ curl -H 'Authorization: bearer ***' 'https://run-actions-2-azure-eastus.actions.githubusercontent.com/49//idtoken/91debbd1-626a-42e4-8946-dcda602180fb/fad0b7ef-e9f6-5f42-8ca8-86dea076a55d?api-version=2.0&audience=someone'
{"value":"***"}
How about using a tool on disk to return the JSON field by name (.value) instead of by serialization order?
node is going to be on every GitHub image, so we can probably use that:
| CC_TOKEN=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=$CC_OIDC_AUDIENCE" | cut -d\" -f4) | |
| CC_TOKEN=$(node -p 'JSON.parse(process.argv[1]).value' "$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=$CC_OIDC_AUDIENCE")") |
There was a problem hiding this comment.
Regarding the tool on disk idea there is also wide support for the 'jq' tool which works with the curl pipe style already here
| CC_TOKEN=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=$CC_OIDC_AUDIENCE" | cut -d\" -f4) | |
| CC_TOKEN=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=$CC_OIDC_AUDIENCE" | jq -r '.value') |
Also it may help to actually request json responses with curl like so:
| CC_TOKEN=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=$CC_OIDC_AUDIENCE" | cut -d\" -f4) | |
| CC_TOKEN=$(curl -H "Accept: application/json" -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=$CC_OIDC_AUDIENCE" | jq -r '.value') |
🙇 Hope this helps.
Closes #1791
The OIDC token is now properly extracted from the 4th quote instead of the 6th.