GitHub Enterprise Server External OIDC endpoint failed

[Ravio1i]

So I've st up oidc following the documentation https://docs.github.com/en/enterprise-server@3.7/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure

Error

However when using it i run into the following error:

Using OIDC authentication...
Federated token details: 
 issuer - https://<GITHUB_ENTEPRRISE_URL>/_services/token 
 subject claim - repo:<MY_ORG>/<MY_REPO>:environment:azure
/usr/bin/az cloud set -n azurecloud
Done setting cloud: "azurecloud"
Error: : AADSTS501661: Request to External OIDC endpoint failed.

Usage:

on:
  workflow_dispatch:
  push:

permissions:
  id-token: write
  contents: read

jobs:
  build:
    runs-on: linux
    environment: azure
    steps:
      - run: az version  
      - name: 'Az CLI login'
        uses: actions/login@v1
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

      - name: Get az vmss list
        run: az vmss list

Azure configuration of federated credential

When changing the Issuer to https://<GITHUB_ENTEPRRISE_URL>/_services/token/ with an appended / the error messages changes to

AADSTS70021: No matching federated identity record found for presented assertion. Assertion Issuer: 'https://<GITHUB_ENTEPRRISE_URL>/_services/token'. Assertion Subject: 'repo:<MY_ORG>/<MY_REPO>:environment:azure'. Assertion Audience: 'api://AzureADTokenExchange'. https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation

Where the values of subject and audience are completely the same as configured in azure federeated

[BALAGA-GAYATRI]

Hi @Ravio1i , It appears that the problem is with the Private instance. Please expose two well-known endpoints to the public internet from the GHES environment. https://code.cicd.opm.gov/_services/token/.well-known/jwks https://code.cicd.opm.gov/_services/token/.well-known/openid-configuration Azure will be unable to validate the OIDC token if these APIs are not available. Please give it a try and let us know the results.

[Ravio1i]

Okay got it. So azure requires network access to these 2 endpoints. Maybe this is the wrong repo to ask this question, but is there actually a way to just expose those 2 endpoints from ghes settings?

[BALAGA-GAYATRI]

It should be done from your machine/Instance not from the cloud. Were you able to do it? Let us know if you are still stuck with the problem.

[Ravio1i]

Not exactly. I'm not fully certain which connectivity is required. There is no way to expose the github enterprise server endpoint directly. Its only possible to expose everything or nothing. (Would it require some sort of loadbalancer magic?)

I allowed the inbound access from the AzureActiveDirectory service tags to the Github enterprise instance, but still the same error. Do we also need outbound from GitHub to the AzureActiveDirectory service?

[BALAGA-GAYATRI]

Adding @kchandra548 to this thread for further help.

[hendrik-schaffer]

Hi all, we were facing the same issue and also struggeled to get it up and running. In the end it comes down to what already has been mentioned above, the two endpoints

• https://HOSTNAME/_services/token/.well-known/jwks
• https://HOSTNAME/_services/token/.well-known/openid-configuration need to be available from the internet.

However, as most GHES instances might be running within a private network, this means those URLs are NOT available from the internet and additionall setup is required.

The tricky part is probably to get the DNS setup right as you are required to use the same DNS for your GHES hostname also for the public DNS entries. This might require special configuration for your networking team

Once you have the DNS in place, you can either add a load balancing solution in front of your GHES which is available from the internet. When using this approach I would also recommend to setup a Web Application Firewall and only allow the access of those endpoints above.

Another solution would be to setup a web server or Lambda/Azure Function that return the content from above URLs once they are requested.

Hope this helps a little

[github-actions[bot]]

This issue is idle because it has been open for 14 days with no activity.

[BALAGA-GAYATRI]

Closing this issue as the action itself doesn't deal with exposing these endpoints and the complications associated with it.