fix: match FIC issuer to token iss#899
Conversation
89e6504 to
95a0ad9
Compare
There was a problem hiding this comment.
Pull request overview
This PR fixes SecretSync federation failures caused by a mismatch between the OIDC issuer returned by ARM (sometimes with a trailing /) and the service account token iss (sometimes without it). It adds logic to resolve the issuer from a Kubernetes-issued service account token and uses the resolved issuer consistently for federated identity credential (FIC) lookup/creation, including in the clone flow, while falling back to the ARM issuer when the cluster can’t be queried or issuers are unrelated.
Changes:
- Add
resolve_oidc_issuer()to prefer the Kubernetes token issuer when it only differs from ARM by a trailing/. - Apply the resolved issuer to SecretSync enable flow and clone federation flow.
- Add unit tests validating issuer-resolution behavior and clone integration.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| azext_edge/edge/providers/orchestration/resources/instances.py | Adds Kubernetes token-based issuer resolution and uses it in SecretSync enable flow. |
| azext_edge/edge/providers/orchestration/clone.py | Uses the resolved issuer during clone federation handling. |
| azext_edge/tests/edge/orchestration/resources/test_instances_unit.py | Adds unit tests for issuer resolution and mocks issuer resolution for unrelated tests. |
| azext_edge/tests/edge/orchestration/test_clone_unit.py | Mocks and asserts clone flow calls issuer resolution. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@digimaun Thanks for the detailed guidance. I’ve refactored this to use the discovery resolver we agreed on. Mapping the changes to your points:
Could you take another look when you have a moment? |
Summary
SecretSync used the OIDC issuer reported by ARM when creating a federated identity credential (FIC). In some configurations the ARM issuer ends with
/while the service account tokenissdoes not. Entra requires an exact match, so secret retrieval fails withAADSTS700211(HTTP 401).Fix
Resolve the canonical issuer from the cluster's public OIDC discovery document (
{issuer}/.well-known/openid-configuration). By the OIDC contract, the discoveryissueris the same value the token carries asiss- and the same document Entra fetches unauthenticated to validate the FIC.Some clarifications...
Q: Why read the discovery document instead of minting a service account token?
A: The discovery
issuerequals the tokenissby contract, so it yields the same canonical value without requiring cluster access, kubeconfig, RBAC (serviceaccounts/token), or the service account to exist. It also works from CI / ARM-only contexts and in clone (before the cluster is deployed).Q: Why not always remove the trailing slash?
A: This is not a failure that happens every time. Some clusters include
/in their issuer. Normalizing unconditionally could break working configurations, so the canonical discovery value is used verbatim.Q: Does this change the common case?
A: No. When ARM and the discovery issuer already match, the same issuer is used with no warning.
Q: Why does the FIC lookup remain exact?
A: Entra treats issuers with and without
/as different values. The resolved issuer is used for both lookup and creation.Q: Does this update existing FICs?
A: No. Repairing already-created FICs is outside this change's scope (tracked as a follow-up).
Repro and Tests
Before:
token iss and ARM issuerUrl mismatch:
iss:

ARM issueUrl (and FIC):

Note the trailing slash after
fcResult: 401

After
token ISS and ARM IssuerUrl remains unchanged, but FIC is normalized

No trailing slash
Result:
