Federated identity credentials Azure CLI commands

[kjyam98]

Resource Provider
Azure Identity team

Description of Feature or Work Requested
Update/creation of Azure CLI commands to support the Federated identity credentials feature (https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation). Detailed spec here: https://microsoft.sharepoint.com/:w:/t/Identity-DevEx/Ecdj6sRt6uNOg_o4uxLZHW8BSkZxPxgdGLL0Sg8_Q6VtXQ?e=ICyONF

Minimum API Version Required
Currently the API is in beta but will GA early next year (Feb 2022 timeframe)

Swagger Link
Swagger file for Microsoft Graph API - OpenAPI description for applications module in staging beta (github.com).

The API paths of interest are:

• /applications/{application-id}/federatedIdentityCredentials/*
• /servicePrincipals/{servicePrincipal-id}/federatedIdentityCredentials/*

Target Date
Feb/Mar 2022 timeframe (to align with GA of the Federated identity credentials API)

[yonzhan]

@jiasli for awareness

[jiasli]

PowerShell? Perhaps it should be Azure CLI. 😉

[kjyam98]

Good catch Jiashuo - updated just now. :)

[jongio]

@jiasli and @yonzhan

This is a complex configuration that I have researched and scripted extensively.

I have created a script here - that guides the user in setting this up and I expect the Azure CLI feature to do the same.

https://github.com/jongio/github-azure-oidc/blob/main/oidc.sh

1. The CLI should allow the user to pass in a federatedIdentityCredential.json file or stream that allows them to create multiple FICs.

See the example here: https://github.com/jongio/github-azure-oidc/blob/main/fics.json

2. The FIC creation call to the graph API has false positives. Meaning that the call to create the FIC returns as success, but in fact it is never created. So to ensure this API works correctly that bug needs to be fixed and in the meantime the Azure CLI should verify that the FICs are indeed created.

See example of the retry logic here: https://github.com/jongio/github-azure-oidc/blob/d733be7c811cb8fef110e0331a246fc5c654a231/oidc.sh#L97

(as of 2/8/22, I wasn't able to repro this issue, so we may be okay not checking for its existence. Most likely we just need a test to ensure it works)

You can learn more about OIDC with this video: https://youtu.be/r5QdsjjdRDs

Jon

[dstrockis]

@yonzhan I am taking over from Kevin on this feature. Do I understand correctly that this work is scheduled for your April sprint, and we can expect it to complete by May 3?

I have some edits I'd like to make to the design of the proposed commands. Can you please sync up with me on that before starting implementation?

[yonzhan]

@dstrockis Good to know you are working on the design. You could send me an email about the design offline and this feature is already planned in Cu semester. My alias is yonzhan