Azure Active Directory Workload Identity Federation with external OIDC IdP

In this video, we experiment with the Azure Active Directory Workload Identity Federation using external OpenID Connect identity providers (OIDC IdP) including our own fake JWT token, another AAD tenant, Auth0, and GCP.

We use Azure Portal to create a federatedIdentityCredential for an Azure AD application registration and use Postman to invoke OAuth2 endpoints and discuss various error messages and responses.

Video Walkthrough

Tip: Play the video full screen.

Postman Code Snippets

AAD get access token using JWT-bearer client assertion type:

curl --location --request POST 'https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=CLIENT_ID' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'scope=https://management.azure.com/.default' \
--data-urlencode 'client_assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik1VWTROakl5TlRFeE9ETkJRMEV3TUVaRU5VWkRRa1pEU...'

List Azure resource groups:

curl --location --request GET 'https://management.azure.com/subscriptions/SUBSCRIPTION_ID/resourceGroups?api-version=2021-04-01' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6IjRsYi16bWo0aDE5TzNRYVNuellIMDA0enBWVy1jOTZKSHBjNkJ0Y1EzY2ciLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1yNS1BVWliZkJpaTdOZDFqQmViYXhib1hXMCIsImt...'

Online JWT Token Tools

• https://jwt.ms/
• https://token.dev/

Going Deeper

If you want to dive deeper and play with generating your own JWT tokens with Bash and signing them using OpenSSL (do not do this in production), check out this blog by https://twitter.com/chgeuer at https://cookbook.geuer-pollmann.de/azure/workload-identity-federation

Thank you!

Please leave feedback and questions below, on the YouTube video, or on Twitter https://twitter.com/ArsenVlad