Skip to content

Instantly share code, notes, and snippets.

@stevengonsalvez

stevengonsalvez/generate-token-github-oidc.js

Created March 11, 2023 22:31
Show Gist options
  • Save stevengonsalvez/2a838b411c92069c391e31d5a5d3e57c to your computer and use it in GitHub Desktop.
Save stevengonsalvez/2a838b411c92069c391e31d5a5d3e57c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
generate-token-github-oidc.js
// Example based actions/core documentation
const core = require('@actions/core');
const { decode } = require('jsonwebtoken');
const { axiosClient } = require('./axioshelp');
getIDTokenAction().catch((error) =>{
console.log('errors?',error)
})
async function getIDTokenAction() {
const audience = core.getInput('audience', {required: false}) || "api://AzureADTokenExchange"
console.log('audience',audience)
const id_token2 = await core.getIDToken(audience).catch((error) => {
console.log('erros',error)})
core.setOutput('id_token', id_token2)
console.log(decode(id_token2, {complete:true}))
var bearer = {
url: 'https://login.microsoftonline.com/<TENANT_ID_HERE>/oauth2/v2.0/token',
json: true,
data: {
grant_type:"client_credentials",
client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
client_id: '<CLIENT_ID_HERE>',
client_assertion: id_token2,
scope: 'https://graph.microsoft.com/.default',
}
}
var {data} = await axiosClient(bearer, true).catch((error) => {
console.log(error?.response?.data)
})
console.log('aad response',data)
}
@stevengonsalvez
Copy link
Author

the helper function axioshelp

const axios = require('axios')
const qs = require('querystring')

async function axiosClient (options, urlencoded, debug) {

    if (urlencoded == true) {
        options.data = qs.stringify(options.data)
    }
    if (debug) {
        console.log(options)
    }

    var data = await axios(options).catch((error) => {

        return Promise.reject(error)

    })
    
    return data

}
module.exports = {axiosClient}

@stevengonsalvez
Copy link
Author

running in a github action`

name: github jwt testing sandbox
on:
  workflow_dispatch: # Allow manual triggering of the workflow

permissions:
  id-token: write # This is required for requesting the JWT
  contents: read  # This is required for actions/checkout

jobs:
  get-jwt:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - uses: actions/setup-node@v3
        with:
          node-version: 16
      - name: Install OIDC Client from Core Package
        run: npm install @actions/core@1.6.0 @actions/http-client axios jsonwebtoken
      - name: Run script
        id: idtoken
        run: node .github/scripts/token.js
      - name: Print JWT
        run: |
          echo ${{ steps.idtoken.outputs.id_token }}
          sed 's/./&+/g; s/+$//' <<< ${{ steps.idtoken.outputs.id_token }}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment