Azure Active Directory Workload Identity Federation with external OIDC IdP

In this video, we experiment with the Azure Active Directory Workload Identity Federation using external OpenID Connect identity providers (OIDC IdP) including our own fake JWT token, another AAD tenant, Auth0, and GCP.

As of February 2022, AAD Workload Identity Federation is in “preview” and not all external IdP and scenarios are supported yet.

We use Azure Portal to create a federatedIdentityCredential for an Azure AD application registration and use Postman to invoke OAuth2 endpoints and discuss various error messages and responses.

Video Walkthrough

Tip: Play the video full screen.

Postman Code Snippets

AAD get access token using JWT-bearer client assertion type:

curl --location --request POST 'https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=CLIENT_ID' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'scope=https://management.azure.com/.default' \
--data-urlencode 'client_assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik1VWTROakl5TlRFeE9ETkJRMEV3TUVaRU5VWkRRa1pEU...'

List Azure resource groups:

curl --location --request GET 'https://management.azure.com/subscriptions/SUBSCRIPTION_ID/resourceGroups?api-version=2021-04-01' \--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6IjRsYi16bWo0aDE5TzNRYVNuellIMDA0enBWVy1jOTZKSHBjNkJ0Y1EzY2ciLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1yNS1BVWliZkJpaTdOZDFqQmViYXhib1hXMCIsImt...'

Online JWT Token Tools

Going Deeper

If you want to dive deeper and play with generating your own JWT tokens with Bash and signing them using OpenSSL (do not do this in production), check out this blog by https://twitter.com/chgeuer at https://cookbook.geuer-pollmann.de/azure/workload-identity-federation

Thank you!

Please leave feedback and questions below, on the YouTube video, or on Twitter https://twitter.com/ArsenVlad

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Arsen Vladimirskiy

Arsen Vladimirskiy

149 Followers

Principal Engineer / Architect, FastTrack for Azure at Microsoft