Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC token expiration problem - Add support for OIDC Request Token/url #385

Open
ibeerens opened this issue Mar 1, 2024 · 3 comments
Open

OIDC token expiration problem - Add support for OIDC Request Token/url #385

ibeerens opened this issue Mar 1, 2024 · 3 comments
Labels
enhancement question

Comments

@ibeerens
Copy link

ibeerens commented Mar 1, 2024

I read the post "https://www.hashicorp.com/blog/version-2-packer-azure-plugin-now-available". I use Packer with the latest Azure plugin and use the OIDC connection. When using a deployment that takes for example 38 minutes everything runs ok. But when i've use an larger deployment the following error occurs

oidc-error 
==> azure-arm.windows11-avd: autorest/Client#Do: Preparing request failed: StatusCode=0 -- Original Error: clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS700024: Client assertion is not within its valid time range. Current time: 2024-02-27T14:01:33.3967841Z, assertion valid from 2024-02-27T12:47:05.0000000Z, expiry time of assertion 2024-02-27T12:52:05.0000000Z. Review the documentation at https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials . Trace ID: b4e5b623-f000-4983-876c-85b424ac8e00 Correlation ID: 1b880267-c308-4c21-a6f6-085e62971c0d Timestamp: 2024-02-27 14:01:33Z","error_codes":[700024],"timestamp":"2024-02-27 14:01:33Z","trace_id":"b4e5b623-f000-4983-876c-85b424ac8e00","correlation_id":"1b880267-c308-4c21-a6f6-085e62971c0d","error_uri":"[https://login.microsoftonline.com/error?code=700024"}](https://login.microsoftonline.com/error?code=700024%22%7D)

It looks like a token expiration problem. Do you know how you can solve this?
@ibeerens
Copy link
Author

Is there a way to extend the OIDC token?

@JenGoldstrich
Copy link
Contributor

JenGoldstrich commented May 6, 2024
edited

Hey @ibeerens in the current version of the plugin no, I chatted with the folks on the Terraform AzureRM Provider as we share an uptsream SDK, here are the Terraform AzureRM Provider authentication docs we only implemented the OIDC token field, these tokens can not be extended from the SDK, however if we implement the oidc request token and URL keys, which is supported using GitHub Actions and many other OIDC providers, these tokens should refresh properly.

I will add this for to our team's backlog for planning and address this when we are able

@JenGoldstrich JenGoldstrich changed the title OIDC token expiration problem OIDC token expiration problem - Add support for OIDC Request Token/url May 6, 2024
@ibeerens
Copy link
Author

Thanks for the update @JenGoldstrich

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ibeerens @JenGoldstrich