Azure Active Directory Workload Identity Federation with external OIDC IdP

Video Walkthrough

Tip: Play the video full screen.

Postman Code Snippets

AAD get access token using JWT-bearer client assertion type:

curl --location --request POST 'https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=CLIENT_ID' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'scope=https://management.azure.com/.default' \
--data-urlencode 'client_assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik1VWTROakl5TlRFeE9ETkJRMEV3TUVaRU5VWkRRa1pEU...'
curl --location --request GET 'https://management.azure.com/subscriptions/SUBSCRIPTION_ID/resourceGroups?api-version=2021-04-01' \--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6IjRsYi16bWo0aDE5TzNRYVNuellIMDA0enBWVy1jOTZKSHBjNkJ0Y1EzY2ciLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1yNS1BVWliZkJpaTdOZDFqQmViYXhib1hXMCIsImt...'

Online JWT Token Tools

Going Deeper

If you want to dive deeper and play with generating your own JWT tokens with Bash and signing them using OpenSSL (do not do this in production), check out this blog by https://twitter.com/chgeuer at https://cookbook.geuer-pollmann.de/azure/workload-identity-federation

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Arsen Vladimirskiy

Arsen Vladimirskiy

149 Followers

Principal Engineer / Architect, FastTrack for Azure at Microsoft