fulcio icon indicating copy to clipboard operation
fulcio copied to clipboard
verified publisher icon sigstore

Support Azure Pipelines OIDC

Open elad-pticha opened this issue 1 year ago • 4 comments

Description

By sending a POST request to $SYSTEM_OIDCREQUESTURI?api-version=7.1-preview.1 along with the following auth header Authorization: Bearer $SYSTEM_ACCESSTOKEN will return the following OIDC token:

{
  "jti": "UUID",
  "sub": "p://example/test-oidc/test-oidc",
  "aud": "api://AzureADTokenExchange",
  "org_id": "ORG_UUID",
  "prj_id": "PROJECT_UUID",
  "def_id": "PIPELINE_ID",
  "rpo_id": "REPO_UUID",
  "rpo_uri": "https://dev.azure.com/example/test-oidc/_git/test-oidc",
  "rpo_ver": "GIT_COMMIT",
  "rpo_ref": "refs/heads/main",
  "run_id": "BUILD_ID",
  "iss": "https://vstoken.dev.azure.com/ORG_UUID",
  "nbf": 1726042645,
  "exp": 1726043845,
  "iat": 1726043245
}

Docs

  • API Spec: https://learn.microsoft.com/en-us/rest/api/azure/devops/distributedtask/oidctoken/create?view=azure-devops-rest-7.1

elad-pticha avatar Sep 11 '24 08:09 elad-pticha

/assign Hey @haydentherapper, I'd love to work on this! I know I don’t have much experience with it yet, but if you could help guide me, I’d be eager to take it on.

Horiodino avatar Feb 08 '25 11:02 Horiodino

Hey, thanks for offering. I don't have experience with the Azure DevOps platform so ideally we'd have someone who does have experience with the platform providing feedback on the claim mappings.

What needs to be done:

  1. We need to map the claims in the Azure DevOps OIDC token to the build and source extensions documented in https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md.
  2. We need to update the configuration which maps claim values to OID extensions (note it also supports templated claim values for more complex strings). https://github.com/sigstore/fulcio/commit/9f02ba2924c6f8a0b46861b3585cb497a7560454 is an example of what we did for GitHub. Again, we ideally need someone who has experience with the Azure DevOps platform providing feedback.

No code changes beyond the configuration updates should be needed.

haydentherapper avatar Feb 10 '25 04:02 haydentherapper

Again, we ideally need someone who has experience with the Azure DevOps platform providing feedback. I have quite extensive experience with ADO and could provide feedback and testing support.

jackmtpt avatar Feb 10 '25 09:02 jackmtpt

Great, thanks! The first step would be updating the documentation with the mapping with discussion, then updating the configuration.

haydentherapper avatar Feb 10 '25 16:02 haydentherapper