GitHub Azure AD OIDC Authentication

John Savill's Technical Training

5 Apr 202322:13

Summary

TLDRThis video demonstrates how to authenticate GitHub Actions with Azure Active Directory (Azure AD) using OpenID Connect (OIDC). It covers how a GitHub workflow can securely authenticate to Azure AD without needing to store secrets, using identity tokens for authorization. The video explains the process of issuing and exchanging tokens between GitHub and Azure AD, focusing on creating an app registration in Azure AD, setting up federated credentials, and using key values like client ID and subscription ID. The session emphasizes the security and efficiency benefits of this approach, applicable to both Azure and AWS.

Takeaways

😀 GitHub Actions can authenticate to Azure Active Directory (AD) via OpenID Connect (OIDC), replacing the need for storing secrets like client secrets.
😀 OIDC is used for authentication (proving identity) and OAuth 2.0 is used for authorization (granting permissions).
😀 GitHub's token service issues an identity token that proves authentication, which is exchanged for an Azure AD token to access Azure resources.
😀 The identity token is a JSON Web Token (JWT), with claims about the issuer, subject, audience, and a signature to ensure integrity and authenticity.
😀 The subject of the identity token must match the expected configuration in Azure AD (e.g., repo, environment, branch) to successfully authenticate.
😀 Azure AD's application registration must include a Federated credential, linking the GitHub Actions workflow with the correct repo, environment, or other entity.
😀 Azure AD issues an access token after the identity token from GitHub is validated, which can be used to deploy resources in Azure or access other services.
😀 This method removes the need for storing sensitive secrets in GitHub Actions, increasing security by using OIDC for authentication and token exchanges.
😀 The workflow uses GitHub secrets for environment details like client ID, tenant ID, and subscription ID, but not sensitive passwords or client secrets.
😀 Step-by-step documentation is available for setting up GitHub and Azure AD, with clear guidance on registering apps, configuring Federated credentials, and assigning roles.
😀 The same OIDC flow can be used with other cloud providers like AWS, and other services like Kubernetes for secure token exchange without managing passwords.

Q & A

What is the main focus of this video?
-The main focus of the video is how to authenticate from GitHub Actions to Azure Active Directory (Azure AD) using OpenID Connect (OIDC), without the need to store secrets like client secrets on GitHub.
How does OpenID Connect (OIDC) relate to OAuth 2.0 in this context?
-OpenID Connect (OIDC) is built on top of OAuth 2.0 and focuses on authentication. OAuth 2.0 handles authorization, while OIDC provides a standardized identity token to prove authentication.
Why is OIDC preferred over traditional methods like service principals with secrets?
-OIDC is more secure because it eliminates the need to store secrets (like client secrets) on GitHub. Instead, it uses identity tokens that are issued by GitHub and can be exchanged for Azure AD access tokens, reducing the risk of secret exposure.
What is the significance of the 'subject' claim in the identity token?
-The 'subject' claim is crucial because it identifies the specific workflow or action that the token represents. It includes information like the organization, repository, and the specific entity (e.g., environment, branch, pull request) targeted by the workflow.
What role does the 'issuer' claim play in the identity token?
-The 'issuer' claim identifies the source of the token. In this case, it is GitHub's token service ('token.actions.githubusercontent.com'), which proves that the identity token came from GitHub.
What configuration needs to be done in Azure AD to use OIDC for authentication?
-In Azure AD, you need to create an application registration and add a Federated credential that specifies the exact entity type and value (such as environment, branch, or pull request) that will match the subject claim in the GitHub token.
How does Azure AD validate the identity token received from GitHub Actions?
-Azure AD validates the identity token by checking the issuer and subject claims. If the subject matches the expected entity (e.g., environment or branch), it proceeds with issuing an access token for authorization.
What are the required GitHub secrets to set up the integration?
-The required GitHub secrets include the Azure AD 'client ID', 'tenant ID', and 'subscription ID'. These are used by GitHub Actions to authenticate and request tokens from Azure AD.
Can the method shown in the video be applied to other services beyond GitHub and Azure AD?
-Yes, the same OIDC concept can be applied to other cloud services like AWS, or even to Kubernetes, for securely authenticating and exchanging tokens without needing to store secrets.
How does the token exchange flow work between GitHub and Azure AD?
-GitHub Issues an identity token through its token service. This token is then passed to Azure AD, where it is validated. If valid, Azure AD issues an access token, which can be used to authenticate and perform actions like deploying resources to Azure.