GitHub Azure AD OIDC Authentication

A walk through of how to authenticate between GitHub Actions and Azure AD without having to store secrets and instead using OIDC. Looking for content on a particular topic? Search the channel. If I have something it will be there!

• 0:00 - Introduction
• 0:47 - How authentication used to work
• 1:47 - Using OIDC
• 5:21 - GitHub identity token and exchange for AAD access token
• 8:08 - Types of subject
• 11:15 - AAD app registration
• 13:42 - Using azure/login
• 15:22 - Adding federated credential
• 18:20 - Storing required values and using in GitHub
• 19:44 - App roles
• 20:10 - Summary

► Whiteboard:

[https://github.com/johnthebrit/RandomStuff/raw/master/Whiteboards/GitHubOIDCAuthentication.png]

► GitHub OIDC authentication:

[https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#configuring-the-oidc-trust-with-the-cloud]

► GitHub to AAD OIDC authentication:

[https://learn.microsoft.com/azure/developer/github/connect-from-azure?tabs=azure-portal%2Cwindows]

► AAD OIDC authentication:

[https://learn.microsoft.com/azure/active-directory/workload-identities/workload-identity-federation-create-trust?pivots=identity-wif-apps-methods-azp]

What is AAD OIDC?

AAD OIDC stands for Azure Active Directory OpenID Connect. It is a standard protocol used for user authentication and authorization. Azure Active Directory (AAD) is a cloud-based identity and access management service offered by Microsoft, which provides a set of capabilities to manage users and their access to resources in the cloud.

OpenID Connect (OIDC) is a protocol built on top of OAuth 2.0 that provides a standardized way for applications to authenticate users. OIDC allows users to authenticate with a third-party identity provider, such as AAD, and then exchange authentication and authorization information securely between the application and the identity provider.

AAD OIDC enables users to sign in to cloud-based applications and services using their existing AAD credentials. AAD acts as the identity provider, authenticating the user and providing the necessary authorization tokens to access resources. OIDC provides a standard way for applications to obtain these tokens securely and verify the identity of the user.

AAD OIDC provides a range of security features to protect user authentication and authorization data, such as multi-factor authentication and conditional access policies. It is commonly used by cloud-based applications and services that are hosted on the Azure platform, such as Microsoft 365, Azure DevOps, and Power BI.

More links on about Azure/Azure Weekly Update

• Configuring OpenID Connect in Azure

Jan 23, 2020 — A .NET MVC web application that uses OpenID Connect to sign-in users from a single Azure Active Directory tenant. - GitHub ...

• Connect GitHub and Azure

Mar 15, 2023 — Enabled and configure