Releasing federated token details in logs (#186 )

Displaying token details as logs
Update README.md
2026-03-15 09:20:56 -04:00 · 2021-12-07 00:22:23 +05:30 · 2021-11-29 13:49:10 +05:30 · 2021-11-29 12:35:50 +05:30 · 2021-11-19 19:23:18 +05:30 · 2021-11-17 12:57:01 +05:30
3 changed files with 27 additions and 9 deletions
--- a/README.md
+++ b/README.md
@@ -244,19 +244,19 @@ For a more detailed overview, see more guidance around [Azure Federated Credenti
    Run the following command to [create a new federated identity credential](https://docs.microsoft.com/en-us/graph/api/application-post-federatedidentitycredentials?view=graph-rest-beta&preserve-view=true) on your app (specified by the object ID of the app). Substitute the values `APPLICATION-OBJECT-ID`, `CREDENTIAL-NAME`, `SUBJECT`. The options for subject refer to your request filter. These are the conditions that OpenID Connect uses to determine when to issue an authentication token.  
    * specific environment
        ```azurecli
-        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com/","subject":"repo:octo-org/octo-repo:environment:Production","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
+        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:octo-org/octo-repo:environment:Production","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
        ```
    * pull_request events
       ```azurecli
-        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com/","subject":"repo:octo-org/octo-repo:pull-request","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
+        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:octo-org/octo-repo:pull_request","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
        ```
    * specific branch
       ```azurecli
-        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com/","subject":"repo:octo-org/octo-repo:ref:refs/heads/{Branch}","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
+        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:octo-org/octo-repo:ref:refs/heads/{Branch}","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
        ```
    * specific tag
       ```azurecli
-        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com/","subject":"repo:octo-org/octo-repo:ref:refs/heads/{Tag}","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
+        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:octo-org/octo-repo:ref:refs/heads/{Tag}","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
        ```

 ## Support for using `allow-no-subscriptions` flag with az login
--- a/lib/main.js
+++ b/lib/main.js
@@ -1,14 +1,14 @@
 "use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function (o, m, k, k2) {
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
-    Object.defineProperty(o, k2, { enumerable: true, get: function () { return m[k]; } });
-}) : (function (o, m, k, k2) {
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    o[k2] = m[k];
 }));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function (o, v) {
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function (o, v) {
+}) : function(o, v) {
    o["default"] = v;
 });
 var __importStar = (this && this.__importStar) || function (mod) {
@@ -140,6 +140,8 @@ function main() {
                if (!!federatedToken) {
                    if (environment != "azurecloud")
                        throw new Error(`Your current environment - "${environment}" is not supported for OIDC login.`);
+                    let [issuer, subjectClaim] = yield jwtParser(federatedToken);
+                    console.log("Federated token details: \n issuer - " + issuer + " \n subject claim - " + subjectClaim);
                }
                else {
                    throw new Error("Could not get ID token for authentication.");
@@ -230,4 +232,12 @@ function executeAzCliCommand(command, silent, execOptions = {}, args = []) {
        yield exec.exec(`"${azPath}" ${command}`, args, execOptions);
    });
 }
+function jwtParser(federatedToken) {
+    return __awaiter(this, void 0, void 0, function* () {
+        let tokenPayload = federatedToken.split('.')[1];
+        let bufferObj = Buffer.from(tokenPayload, "base64");
+        let decodedPayload = JSON.parse(bufferObj.toString("utf8"));
+        return [decodedPayload['iss'], decodedPayload['sub']];
+    });
+}
 main();
--- a/src/main.ts
+++ b/src/main.ts
@@ -118,6 +118,8 @@ async function main() {
            if (!!federatedToken) {
                if (environment != "azurecloud")
                    throw new Error(`Your current environment - "${environment}" is not supported for OIDC login.`);
+                let [issuer, subjectClaim] = await jwtParser(federatedToken);
+                console.log("Federated token details: \n issuer - " + issuer + " \n subject claim - " + subjectClaim);
            }
            else {
                throw new Error("Could not get ID token for authentication.");
@@ -227,4 +229,10 @@ async function executeAzCliCommand(
    execOptions.silent = !!silent;
    await exec.exec(`"${azPath}" ${command}`, args, execOptions);
 }
+async function jwtParser(federatedToken: string) {
+    let tokenPayload = federatedToken.split('.')[1];
+    let bufferObj = Buffer.from(tokenPayload, "base64");
+    let decodedPayload = JSON.parse(bufferObj.toString("utf8"));
+    return [decodedPayload['iss'], decodedPayload['sub']];
+}
 main();
Author	SHA1	Message	Date
Balaga Gayatri	66d2e78565	Releasing federated token details in logs (#186 ) Displaying token details as logs	2021-12-07 00:22:23 +05:30
Balaga Gayatri	838596bf46	Update README.md	2021-11-29 13:49:10 +05:30
Balaga Gayatri	4157c80c0a	Update README.md	2021-11-29 12:35:50 +05:30
Balaga Gayatri	193e371fe1	Update README.md	2021-11-19 19:23:18 +05:30
Balaga Gayatri	0c79dfa0e1	Update README.md (#173 ) (#174 )	2021-11-17 12:57:01 +05:30