Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support gitlab as a federated auth source for azd auth login #3244

Closed
wants to merge 1 commit into from
Closed

Support gitlab as a federated auth source for azd auth login #3244

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 33 additions & 11 deletions cli/azd/pkg/auth/manager.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (
"github.com/azure/azure-dev/cli/azd/internal/tracing/fields"
"github.com/azure/azure-dev/cli/azd/pkg/azure"
"github.com/azure/azure-dev/cli/azd/pkg/config"
"github.com/azure/azure-dev/cli/azd/pkg/convert"
"github.com/azure/azure-dev/cli/azd/pkg/github"
"github.com/azure/azure-dev/cli/azd/pkg/httputil"
"github.com/azure/azure-dev/cli/azd/pkg/input"
Expand Down Expand Up @@ -410,9 +411,6 @@ func (m *Manager) newCredentialFromFederatedTokenProvider(
clientID string,
provider federatedTokenProvider,
) (azcore.TokenCredential, error) {
if provider != gitHubFederatedAuth {
return nil, fmt.Errorf("unsupported federated token provider: '%s'", string(provider))
}
options := &azidentity.ClientAssertionCredentialOptions{
ClientOptions: policy.ClientOptions{
Transport: m.httpClient,
Expand All @@ -422,12 +420,26 @@ func (m *Manager) newCredentialFromFederatedTokenProvider(
tenantID,
clientID,
func(ctx context.Context) (string, error) {
federatedToken, err := m.ghClient.TokenForAudience(ctx, "api://AzureADTokenExchange")
if err != nil {
return "", fmt.Errorf("fetching federated token: %w", err)
}
switch provider {
case gitHubFederatedAuth:
federatedToken, err := m.ghClient.TokenForAudience(ctx, "api://AzureADTokenExchange")
if err != nil {
return "", fmt.Errorf("fetching federated token: %w", err)
}

return federatedToken, nil
case gitLabFederatedAuth:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was really curious about what the "standard" is and looked around a little.
I think we can drop all the custom support and instead implement OIDC token support generically, following the footsteps of what's been done in other tools (Pulumi, Terraform) for better compatibility:

  • ACTIONS_ID_TOKEN_REQUEST_TOKEN and ACTIONS_ID_TOKEN_REQUEST_URL are automatically detected for GitHub
  • ARM_OIDC_REQUEST_TOKEN and ARM_OIDC_REQUEST_TOKEN_URL for override
  • ARM_OIDC_TOKEN for direct token

Be happy to create an issue / make the changes here if you think it's worthwhile.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Love it - feel free to take over the PR.

federatedToken, has := os.LookupEnv("AZD_GITLAB_FEDERATED_TOKEN")
if !has {
return "",
errors.New("AZD_GITLAB_FEDERATED_TOKEN is not set. It should be a valid GitLab id_token with an " +
" an audience of 'api://AzureADTokenExchange'")
Comment on lines +435 to +436
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
errors.New("AZD_GITLAB_FEDERATED_TOKEN is not set. It should be a valid GitLab id_token with an " +
" an audience of 'api://AzureADTokenExchange'")
errors.New("AZD_GITLAB_FEDERATED_TOKEN is not set. It should be a valid GitLab id_token with an " +
" audience of 'api://AzureADTokenExchange'")

}

return federatedToken, nil
return federatedToken, nil
default:
panic(fmt.Sprintf("unexpected federated token provider: %v", provider))
}
},
options)
if err != nil {
Expand Down Expand Up @@ -598,7 +610,16 @@ func (m *Manager) LoginWithServicePrincipalCertificate(
func (m *Manager) LoginWithServicePrincipalFederatedTokenProvider(
ctx context.Context, tenantId, clientId, provider string,
) (azcore.TokenCredential, error) {
cred, err := m.newCredentialFromFederatedTokenProvider(tenantId, clientId, federatedTokenProvider(provider))
switch federatedTokenProvider(provider) {
case gitHubFederatedAuth, gitLabFederatedAuth:
// ok
default:
return nil, fmt.Errorf("unsupported provider type: %s", provider)

}

federatedProvider := federatedTokenProvider(provider)
cred, err := m.newCredentialFromFederatedTokenProvider(tenantId, clientId, federatedProvider)
if err != nil {
return nil, err
}
Expand All @@ -608,7 +629,7 @@ func (m *Manager) LoginWithServicePrincipalFederatedTokenProvider(
clientId,
&persistedSecret{
FederatedAuth: &federatedAuth{
TokenProvider: &gitHubFederatedAuth,
TokenProvider: convert.RefOf(federatedProvider),
},
},
); err != nil {
Expand Down Expand Up @@ -840,8 +861,9 @@ type persistedSecret struct {
}

// federated auth token providers
var (
const (
gitHubFederatedAuth federatedTokenProvider = "github"
gitLabFederatedAuth federatedTokenProvider = "gitlab"
)

// token provider for federated auth
Expand Down
Loading