auth: Implementation fo AzureSub provider that leverages federated credentials #1723
Conversation
|
|
||
| public async getTenants(): Promise<TenantIdDescription[]> { | ||
| return [{ | ||
| tenantId: this._tokenCredential?.tenantId, |
There was a problem hiding this comment.
So there can only ever be one tenant associated with the token? I also don't see where the tenantId property is ever set.
There was a problem hiding this comment.
Hmm, it probably can have multiple tenants, but right now it doesn't. Right now the token being used only returns one subscription back, so we're just using that tenant automatically.
I could add support now, though might be easier for me to validate with Megan's tenant work.
| public onDidSignIn: Event<void> = () => { return new Disposable(() => { /*empty*/ }) }; | ||
| public onDidSignOut: Event<void> = () => { return new Disposable(() => { /*empty*/ }) }; |
There was a problem hiding this comment.
You could probably add support for these pretty easily
| `); | ||
| } | ||
|
|
||
| const oidcRequestUrl = `${teamFoundationCollectionUri}${teamProjectId}/_apis/distributedtask/hubs/build/plans/${planId}/jobs/${jobId}/oidctoken?api-version=7.1-preview.1&serviceConnectionId=${serviceConnectionId}`; |
There was a problem hiding this comment.
Question: How did you figure out the exact format for the oidcRequestUrl? Was this referenced in the MS Learn docs somewhere or by manually inspecting a job that was spun up?
There was a problem hiding this comment.
Oh nevermind, disregard I'm assuming it was pulled from here:
https://learn.microsoft.com/en-us/rest/api/azure/devops/distributedtask/oidctoken/create
There was a problem hiding this comment.
Good question. We might want to add that link to a comment above this.
I've explained this quite a bit offline, but just some context for the PR.
We are using federated credentials (service principals) in order to log in to Azure. This token is used in place of VS Code sessions and passed to our subscription client. The resources extension will need to swap which sub provider it is using based on whether or not it is in a testing environment, but there should be no code changes beyond that.
Still need to add the README. We should translate Hossam's document from OneNote to markdown and include it as a README.