OIDC with Managed identity

[vacuvi]

We are using a User Assigned Managed Identity with Federated Credentials from GitHub. According to the GitHub documentation (https://github.com/Azure/login?tab=readme-ov-file), we would expect the token to refresh and remain valid for 24 hours.

However, we are observing a token expiration of 5 minutes. The GitHub OIDC provider issues a JWT ID token with a 5-minute expiration time, although its lifespan is not officially documented. By decoding the OIDC token, we can confirm that it actually expires in 5 minutes. This can also be verified in the [sample token]

We would like to confirm if it is expected for this token to only be valid for 5 minutes, as the documentation suggests the following:

"By default, Azure access tokens issued during OIDC based login could have limited validity. Azure access token issued by Service Principal is expected to have an expiration of 1 hour by default. And with Managed Identities, it would be 24 hours. This expiration time is further configurable in Azure. Refer to access-token lifetime for more details."

Thanks

[vaacuavi-MSFT]

@vaacuavi-MSFT

[RagingTonberry]

I have also just today started to observe a 5 minute expiry when trying to operate some longer lived operations (deployments) with multiple steps which start after the expiry time.

When attempting to perform an operation after the first (which succeeds) I am greeted with this error.

ERROR: AADSTS700024: Client assertion is not within its valid time range. Current time: 2024-05-03T06:34:55.5712196Z, assertion valid from 2024-05-03T06:24:39.0000000Z, expiry time of assertion 2024-05-03T06:29:39.0000000Z. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials . Trace ID: a35c1f5f-da69-414c-8f05-648b1cbe3e00 Correlation ID: dc35ebdb-746d-450a-92f2-15e45709cda4 Timestamp: 2024-05-03 06:34:55Z
Interactive authentication is needed. Please run:
az login
Error: Process completed with exit code 1.

I have encountered this quite a few times in the past but only when some processes took over ~60 minutes which is more consistent with what I expect.
I observed this with both v1 and v2 of the action which suggests something beyond the action may have changed.
We have no configurable lifetime policies in our environment to my knowledge.

[akashsinghal]

I've also encountered this issue. I found this helpful: #372 (comment)

[YanaXu]

Hi @vacuvi, sorrry for confusing you here. The token example you provided is the federated token generated by GitHub. It's correct that the lifetime of it is 5 mins.
While we're talking about the oidc token generated by Azure, with user managed identity, it's 24 hours. It's correct too.
When you use Azure Login Action with User Managed Identity OIDC login method, the token for Azure is 24 hours.
You can also refer to comment if you met issues of token expiration. Or simply give it a try.