Got `invalid_client` error when using `oidc_token` for `azuredevops` provider

[juicybaba]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and Azure DevOps Provider) Version

Affected Resource(s)

• azuredevops_XXXXX

Terraform Configuration Files

provider "azuredevops" {
  org_service_url = "https://dev.azure.com/my-org"
  client_id  = "feed by service connection"
  tenant_id  = "feed by service connection"
  oidc_token = "feed by service connection"
  use_oidc   = "feed by service connection"
}

Debug Output

Panic Output

Expected Behavior

Actual Behavior

I am using an azuredevops connection to run terraform with azurerm/azuread/azuredevops providers. I have the azuread_application_federated_identity_credential configured and everything works well with azurerm/azuread provider, but got below error for azuredevops provider.

azuredevops provider works well if i switch authentication back to secret which indicates the service principal has the corret permission in azure devops.

Does azuredevops provider requires a different azuread_application_federated_identity_credential or oidc_token than the other azure providers?

azure devops pipeline configuration: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc#:~:text=Azure%20DevOps%20Pipelines

│ {
│   "error": "invalid_client",
│   "error_description": "AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'f24460a4-476e-49ca-a3a6-81fdc765f42a'. Trace ID: 457b485c-2ec8-4dd7-9834-c49162edaa00 Correlation ID: c832fa13-122e-4767-98b4-95102e589814 Timestamp: 2024-03-09 01:44:24Z",
│   "error_codes": [
│     7000215
│   ],
│   "timestamp": "2024-03-09 01:44:24Z",
│   "trace_id": "457b485c-2ec8-4dd7-9834-c49162edaa00",
│   "correlation_id": "c832fa13-122e-4767-98b4-95102e589814",
│   "error_uri": "https://login.microsoftonline.com/error?code=7000215"
│ }

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc#:~:text=Azure%20DevOps%20Pipelines

Steps to Reproduce

1. terraform apply

Important Factoids

References

• 0000

[davidcorrigan714]

4 upvotes in 45 minutes?? Either this is a popular issue or you've got some friends!

[juicybaba]

4 upvotes in 45 minutes?? Either this is a popular issue or you've got some friends!

Haha, we are working on azure devops project onboarding and would like to understand this one. So, popular issue within the team and all teammates are friends. 😄

FYI, I have created a number of issues in past few days 😁

[davidcorrigan714]

Just as long as they're not all for the OIDC Service Principal stuff.

Guess this is what you're seeing:

Haven't debugged why that's happening yet.

[davidcorrigan714]

😭 I see why. Yeah it's broken. Didn't get through all the testing in December after the latest version of the code and this case is just plain wrong. It's sending the OIDC token as the client secret, it needs to exchange the OIDC token for an AzureAD token iirc.

[davidcorrigan714]

Fix is easy enough. I'm going to manually test all the auth methods tomorrow like I should've done back in December then I'll put up a PR. Published the fix to davidcorrigan714/azuredevops version 1.0.0-pre.5 if you're super eager to try it, hopefully Microsoft can turnaround a new release pretty quick once it's in.

[juicybaba]

@davidcorrigan714 @xuzhang3 Thank you so much on the quick fix and release! Issue is resolved.