Update Constants.js

* putting id-token generation in try catch block

* Updating node version in action.yml

.github/CODEOWNERS

@@ -0,0 +1 @@
+@kaverma @kanika1894 @BALAGA-GAYATRI @pulkitaggarwl 

.github/ISSUE_TEMPLATE/bug-report-feature-request.md

@@ -0,0 +1,10 @@
+---
+name: Bug Report / Feature Request
+about: Create a report to help us improve
+title: ''
+labels: need-to-triage
+assignees: ''
+
+---
+
+

.github/issue-label-bot.yaml

@@ -0,0 +1,4 @@
+label-alias:
+  bug: 'bug'
+  feature_request: 'enhancement'
+  question: 'question'

.github/workflows/azure-login-canary.yml

@@ -0,0 +1,94 @@
+#This workflow is used to test azure login action for CLI edge build. Visit, https://github.com/Azure/azure-cli#edge-builds for more details.
+
+name: Run Azure Login Canary Test
+on: 
+  workflow_dispatch:
+  schedule:
+    - cron:  ' 0 8 * * *'  
+permissions:
+      id-token: write
+      contents: read
+jobs: 
+  az-login-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name : Check Az version before installing
+        run: az --version
+        
+      - name: Installing Az CLI Edge build 
+        run: |
+           cd ../..
+           CWD="$(pwd)"
+           python3 -m venv canary-venv
+           . canary-venv/bin/activate
+           echo "***********activated virual environment**********" 
+           python3 -m pip install --upgrade pip
+           echo "***************started installing cli edge build******************"
+           pip3 install -q --upgrade --pre azure-cli --extra-index-url https://azurecliprod.blob.core.windows.net/edge --no-cache-dir --upgrade-strategy=eager
+           echo "***************installed cli Edge build*******************"    
+           echo "$CWD/canary-venv/bin" >> $GITHUB_PATH
+           az --version
+           
+      - name: Check out repository
+        uses: actions/checkout@v3
+        
+      - name: 'Az CLI login with subscription'
+        uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          
+      - run: |
+          az account show
+          
+      - name: 'Az CLI login without subscription'
+        uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          allow-no-subscriptions: true
+          
+      - run: |
+          az account show
+          
+      - name: 'Az CLI login with subscription OIDC'
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENTID }}
+          tenant-id: ${{ secrets.AZURE_TENANTID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID }} 
+        
+      - run: |
+          az account show
+          
+      - name: 'Az CLI login without subscription OIDC'
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENTID }}
+          tenant-id: ${{ secrets.AZURE_TENANTID }}
+          allow-no-subscriptions: true
+          
+      - run: |
+          az account show
+          
+   
+          
+  slack-post-result:
+        runs-on: ubuntu-latest
+#         continue-on-error: true
+        if: ${{ always() }}
+        needs: [az-login-test]
+        steps:
+          - name: Create slack post
+            id: slack_report
+            run: |
+              TITLE="Login action canary tests update - "
+              DATEVAR=`date "+%d/%m/%YT%H:%M:%S"`
+              TITLE="${TITLE}${DATEVAR}"
+              REPORT="${TITLE}\r\nLink to run - https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\r\n" 
+              RUN_URL="https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
+              REPORT="${REPORT}\r\n"
+              if [ ${{needs.az-login-test.result}} == 'success' ]; then REPORT="${REPORT}\r\n|✅|<${RUN_URL}|az-login-test>"; else REPORT="${REPORT}\r\n|❌|<${RUN_URL}|az-login-test>"; fi
+              echo "::set-output name=report::$REPORT"
+          - name: Post to slack
+            shell: bash
+            run: curl -X POST -H 'Content-type:application/json' --data '{"blocks":[{"type":"section","text":{"type":"mrkdwn","text":"${{steps.slack_report.outputs.report}}"}}]}' https://hooks.slack.com/services/${{SECRETS.SLACK_CHANNEL_SECRET}}
+

.github/workflows/azure-login-integration-tests.yml

@@ -0,0 +1,129 @@
+name: Run Azure Login Integration Tests
+on: 
+  workflow_dispatch:
+  schedule:
+    - cron:  '0 */3 * * *'
+permissions:
+      id-token: write
+      contents: write
+
+jobs: 
+
+  az-login-test-non-oidc:
+    runs-on: ubuntu-latest
+#     continue-on-error: true
+    steps:
+      - name: 'Az CLI login with subscription'
+        uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          
+      - run: |
+          az account show
+#          az webapp list
+          
+      - name: 'Az CLI login without subscription'
+        uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          allow-no-subscriptions: true
+          
+      - run: |
+          az account show
+          
+      - name: 'Azure PowerShell login with subscription'
+        uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          enable-AzPSSession: true
+          
+      - uses: azure/powershell@v1
+        with:
+          inlineScript: "Get-AzContext"
+          azPSVersion: "latest"
+          
+      - name: 'Azure PowerShell login without subscription'
+        uses: azure/login@v1
+        with:
+          creds: ${{secrets.AZURE_CREDENTIALS}}
+          enable-AzPSSession: true
+          allow-no-subscriptions: true
+        
+      - uses: azure/powershell@v1
+        with:
+          inlineScript: "Get-AzContext"
+          azPSVersion: "latest"
+
+  az-login-test-oidc:
+    runs-on: ubuntu-latest
+#     continue-on-error: true
+    steps:
+      - name: 'Az CLI login with subscription'
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENTID }}
+          tenant-id: ${{ secrets.AZURE_TENANTID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID }} 
+        
+      - run: |
+          az account show
+#          az webapp list
+          
+      - name: 'Az CLI login without subscription'
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENTID }}
+          tenant-id: ${{ secrets.AZURE_TENANTID }}
+          allow-no-subscriptions: true
+          
+      - run: |
+          az account show
+          
+      - name: 'Azure PowerShell login with subscription'
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENTID }}
+          tenant-id: ${{ secrets.AZURE_TENANTID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID }} 
+          enable-AzPSSession: true
+          
+      - uses: azure/powershell@v1
+        with:
+          inlineScript: "Get-AzContext"
+          azPSVersion: "latest"
+          
+      - name: 'Azure PowerShell login without subscription'
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENTID }}
+          tenant-id: ${{ secrets.AZURE_TENANTID }}
+          enable-AzPSSession: true
+          allow-no-subscriptions: true
+        
+      - uses: azure/powershell@v1
+        with:
+          inlineScript: "Get-AzContext"
+          azPSVersion: "latest"
+          
+  slack-post-result:
+        runs-on: ubuntu-latest
+#         continue-on-error: true
+        if: ${{ always() }}
+        needs: [az-login-test-non-oidc, az-login-test-oidc]
+        steps:
+          - name: Create slack post
+            id: slack_report
+            run: |
+              TITLE="Login action OIDC flow tests update - "
+              DATEVAR=`date "+%d/%m/%YT%H:%M:%S"`
+              TITLE="${TITLE}${DATEVAR}"
+              REPORT="${TITLE}\r\nLink to run - https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\r\n" 
+              RUN_URL="https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
+              REPORT="${REPORT}\r\n"
+              if [ ${{needs.az-login-test-non-oidc.result}} == 'success' ]; then REPORT="${REPORT}\r\n|✅|<${RUN_URL}|az-login-test-non-oidc>"; else REPORT="${REPORT}\r\n|❌|<${RUN_URL}|az-login-test-non-oidc>"; fi
+              if [ ${{needs.az-login-test-oidc.result}} == 'success' ]; then REPORT="${REPORT}\r\n|✅|<${RUN_URL}|az-login-test-oidc>"; else REPORT="${REPORT}\r\n|❌|<${RUN_URL}|az-login-test-oidc>"; fi
+              echo "::set-output name=report::$REPORT"
+
+          - name: Post to slack
+            shell: bash
+            run: curl -X POST -H 'Content-type:application/json' --data '{"blocks":[{"type":"section","text":{"type":"mrkdwn","text":"${{steps.slack_report.outputs.report}}"}}]}' https://hooks.slack.com/services/${{SECRETS.SLACK_CHANNEL_SECRET}}

.github/workflows/azure-login-pr-check.yml

@@ -0,0 +1,72 @@
+name: pr-check
+
+on:
+  pull_request_target:
+    branches:
+      - master
+      - 'releases/*'
+jobs:
+   az-login-test:
+     environment: Automation test
+     runs-on: windows-latest
+     steps:
+       - name: Checkout from PR branch  
+         uses: actions/checkout@v2
+         with: 
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.ref }}
+
+         # Using 12.x version as an example
+       - name: Set Node.js 12.x for GitHub Action
+         uses: actions/setup-node@v1
+         with:
+           node-version: 12.x
+
+       - name: installing node_modules
+         run: npm install 
+
+       - name: Build GitHub Action
+         run: npm run build
+         
+       - name: 'Az CLI login with subscription'
+         uses: ./
+         with:
+            creds: ${{ secrets.AZURE_CREDENTIALS }}
+          
+       - run: |
+             az account show
+  #          az webapp list
+
+       - name: 'Az CLI login without subscription'
+         uses: ./
+         with:
+           creds: ${{ secrets.AZURE_CREDENTIALS_NO_SUB }}
+           allow-no-subscriptions: true
+
+       - run: |
+           az account show
+
+       - name: 'Azure PowerShell login with subscription'
+         uses: ./
+         with:
+           creds: ${{ secrets.AZURE_CREDENTIALS }}
+           enable-AzPSSession: true
+
+       - uses: azure/powershell@v1
+         with:
+           inlineScript: "Get-AzContext"
+           azPSVersion: "latest"
+
+       - name: 'Azure PowerShell login without subscription'
+         uses: ./
+         with:
+           creds: ${{secrets.AZURE_CREDENTIALS_NO_SUB}}
+           enable-AzPSSession: true
+           allow-no-subscriptions: true
+
+       - uses: azure/powershell@v1
+         with:
+           inlineScript: "Get-AzContext"
+           azPSVersion: "latest"
+          
+      

.github/workflows/ci.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
         matrix:
-          os: [windows-latest, ubuntu-latest, macos-latest]
+          os: [windows-latest, ubuntu-latest]
     steps:
 
     - name: 'Checking out repo code'
@@ -25,4 +25,4 @@ jobs:
         
     - name: 'Run L0 tests'
       run: |
-        npm run test
+        npm run test

.github/workflows/codeql.yml

@@ -0,0 +1,52 @@
+name: "Code scanning - action"
+
+on:
+  push:
+  pull_request:
+  schedule:
+    - cron: '0 19 * * 0'
+
+jobs:
+  CodeQL-Build:
+
+    # CodeQL runs on ubuntu-latest and windows-latest
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+      with:
+        # We must fetch at least the immediate parents so that if this is
+        # a pull request then we can checkout the head.
+        fetch-depth: 2
+
+    # If this run was triggered by a pull request event, then checkout
+    # the head of the pull request instead of the merge commit.
+    - run: git checkout HEAD^2
+      if: ${{ github.event_name == 'pull_request' }}
+      
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      # Override language selection by uncommenting this and choosing your languages
+      # with:
+      #   languages: go, javascript, csharp, python, cpp, java
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

.github/workflows/defaultLabels.yml

@@ -0,0 +1,36 @@
+name: setting-default-labels
+
+# Controls when the action will run. 
+on:
+  schedule:
+  - cron: "0 0/3 * * *"
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+          
+      - uses: actions/stale@v3
+        name: Setting issue as idle
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          stale-issue-message: 'This issue is idle because it has been open for 14 days with no activity.'
+          stale-issue-label: 'idle'
+          days-before-stale: 14
+          days-before-close: -1
+          operations-per-run: 100
+          exempt-issue-labels: 'backlog'
+          
+      - uses: actions/stale@v3
+        name: Setting PR as idle
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          stale-pr-message: 'This PR is idle because it has been open for 14 days with no activity.'
+          stale-pr-label: 'idle'
+          days-before-stale: 14
+          days-before-close: -1
+          operations-per-run: 100

README.md

@@ -1,150 +1,325 @@
-# GitHub Actions for deploying to Azure
-
-## Automate your GitHub workflows using Azure Actions
-
-[GitHub Actions](https://help.github.com/en/articles/about-github-actions)  gives you the flexibility to build an automated software development lifecycle workflow. 
-
-With [GitHub Actions for Azure](https://github.com/Azure/actions/) you can create workflows that you can set up in your repository to build, test, package, release and **deploy** to Azure. 
-
-# GitHub Action for Azure Login
-With the Azure login Action, you can automate your workflow to do an Azure login using [Azure service principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals) and run Az CLI and Azure PowerShell scripts.
-
-By default, only az cli login will be done. In addition to az cli, you can login using Az module to run Azure PowerShell scripts by setting enable-AzPSSession to true.
-
-Get started today with a [free Azure account](https://azure.com/free/open-source)!
-
-This repository contains GitHub Action for [Azure Login](https://github.com/Azure/login/blob/master/action.yml).
-
-## Sample workflow that uses Azure login action to run az cli
-
-```yaml
-
-# File: .github/workflows/workflow.yml
-
-on: [push]
-
-name: AzureLoginSample
-
-jobs:
-
-  build-and-deploy:
-    runs-on: ubuntu-latest
-    steps:
-    
-    - uses: azure/login@v1.1
-      with:
-        creds: ${{ secrets.AZURE_CREDENTIALS }}
-    
-    - run: |
-        az webapp list --query "[?state=='Running']"
-
-```
-
-## Sample workflow that uses Azure login action to run Azure PowerShell
-
-```yaml
-
-# File: .github/workflows/workflow.yml
-
-on: [push]
-
-name: AzurePowerShellSample
-
-jobs:
-
-  build-and-deploy:
-    runs-on: ubuntu-latest
-    steps:
-    
-    - name: Login via Az module
-      uses: azure/login@v1.1
-      with:
-        creds: ${{secrets.AZURE_CREDENTIALS}}
-        enable-AzPSSession: true 
-    
-    - name: Run Az CLI script
-      run: |
-        az webapp list --query "[?state=='Running']"
-   
-    - name: Run Azure PowerShell script
-      uses: azure/powershell@v1
-      with:
-        azPSVersion: '3.1.0'
-        inlineScript: |
-          Get-AzVM -ResourceGroupName "ActionsDemo"
-        
-     
-        
-```
-
-Refer [Azure PowerShell](https://github.com/azure/powershell) Github action to run your Azure PowerShell scripts.
-
-## Configure deployment credentials:
-
-For any credentials like Azure Service Principal, Publish Profile etc add them as [secrets](https://help.github.com/en/articles/virtual-environments-for-github-actions#creating-and-using-secrets-encrypted-variables) in the GitHub repository and then use them in the workflow.
-
-The above example uses user-level credentials i.e., Azure Service Principal for deployment. 
-
-Follow the steps to configure the secret:
-  * Define a new secret under your repository settings, Add secret menu
-  * Store the output of the below [az cli](https://docs.microsoft.com/en-us/cli/azure/?view=azure-cli-latest) command as the value of secret variable, for example 'AZURE_CREDENTIALS'
-```bash  
-
-   az ad sp create-for-rbac --name "myApp" --role contributor \
-                            --scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group} \
-                            --sdk-auth
-                            
-  # Replace {subscription-id}, {resource-group} with the subscription, resource group details
-
-  # The command should output a JSON object similar to this:
-
-  {
-    "clientId": "<GUID>",
-    "clientSecret": "<GUID>",
-    "subscriptionId": "<GUID>",
-    "tenantId": "<GUID>",
-    (...)
-  }
-  
-```
-  * Now in the workflow file in your branch: `.github/workflows/workflow.yml` replace the secret in Azure login action with your secret (Refer to the example above)
-
-
-# Azure Login metadata file
-
-```yaml
-
-# action.yml
-
-# Login to Azure subscription
-name: 'Azure Login'
-description: 'Authenticate to Azure and run your Az CLI or Az PowerShell based Actions or scripts. github.com/Azure/Actions'
-inputs: 
-  creds:
-    description: 'Paste output of `az ad sp create-for-rbac` as value of secret variable: AZURE_CREDENTIALS'
-    required: true
-  enable-AzPSSession: 
-    description: 'Set this value to true to enable Azure PowerShell Login in addition to Az CLI login'
-    required: false
-    default: false
-branding:
-  icon: 'login.svg'
-  color: 'blue'
-runs:
-  using: 'node12'
-  main: 'lib/main.js'
-```
-
-# Contributing
-
-This project welcomes contributions and suggestions.  Most contributions require you to agree to a
-Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
-the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
-
-When you submit a pull request, a CLA bot will automatically determine whether you need to provide
-a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions
-provided by the bot. You will only need to do this once across all repos using our CLA.
-
-This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
-For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
-contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
+# GitHub Actions for deploying to Azure
+
+## Automate your GitHub workflows using Azure Actions
+
+[GitHub Actions](https://help.github.com/en/articles/about-github-actions)  gives you the flexibility to build an automated software development lifecycle workflow. 
+
+With [GitHub Actions for Azure](https://github.com/Azure/actions/) you can create workflows that you can set up in your repository to build, test, package, release and **deploy** to Azure. 
+
+# GitHub Action for Azure Login
+
+With the [Azure Login](https://github.com/Azure/login/blob/master/action.yml) Action, you can automate your workflow to do an Azure login using [Azure service principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals) and run Az CLI and Azure PowerShell scripts.
+
+- By default, the action only logs in with the Azure CLI (using the `az login` command). To log in with the Az PowerShell module, set `enable-AzPSSession` to true. To login to Azure tenants without any subscriptions, set the optional parameter `allow-no-subscriptions` to true. 
+
+- To login into one of the Azure Government clouds or Azure Stack, set the optional parameter `environment` with one of the supported values `AzureUSGovernment` or `AzureChinaCloud` or `AzureStack`. If this parameter is not specified, it takes the default value `AzureCloud` and connects to the Azure Public Cloud. Additionally the parameter `creds` takes the Azure service principal created in the particular cloud to connect (Refer to [this](#configure-a-service-principal-with-a-secret)  section below for details).
+
+- The Action supports two different ways of authentication with Azure. One using the Azure Service Principal with secrets. The other is OpenID connect (OIDC) method of authentication using Azure Service Principal with a Federated Identity Credential. 
+- To login using Azure Service Principal with a secret, follow [this](#configure-a-service-principal-with-a-secret) guidance.
+- To login using **OpenID Connect (OIDC) based Federated Identity Credentials**, 
+   1. Follow [this](#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication) guidance to create a Federated Credential associated with your AD App (Service Principal). This is needed to establish OIDC trust between GitHub deployment workflows and the specific Azure resources scoped by the service principal.
+   2. In your GitHub workflow, Set `permissions:` with `id-token: write` at workflow level or job level based on whether the OIDC token needs to be auto-generated for all Jobs or a specific Job. 
+   3. Within the Job deploying to Azure, add Azure/login action and pass the `client-id`, `tenant-id` and `subscription-id` of the Azure service principal associated with an OIDC Federated Identity Credential credeted in step (i)
+
+Note: 
+   - Ensure the CLI version is 2.30 or above to use OIDC support.
+   - OIDC support in Azure is supported only for public clouds. Support for other clouds like Government clouds, Azure Stacks would be added soon. 
+   - By default, Azure access tokens issued during OIDC based login could have limited validity. This expiration time is configurable in Azure.
+
+## Sample workflow that uses Azure login action to run az cli
+
+```yaml
+
+# File: .github/workflows/workflow.yml
+
+on: [push]
+
+name: AzureLoginSample
+
+jobs:
+
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    steps:
+    
+    - uses: azure/login@v1
+      with:
+        creds: ${{ secrets.AZURE_CREDENTIALS }}
+    
+    - run: |
+        az webapp list --query "[?state=='Running']"
+
+```
+
+## Sample workflow that uses Azure login action to run Azure PowerShell
+
+```yaml
+
+# File: .github/workflows/workflow.yml
+
+on: [push]
+
+name: AzurePowerShellLoginSample
+
+jobs:
+
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    
+    - name: Login via Az module
+      uses: azure/login@v1
+      with:
+        creds: ${{secrets.AZURE_CREDENTIALS}}
+        enable-AzPSSession: true 
+     
+     - run: |
+        Get-AzVM -ResourceGroupName "ResourceGroup11"
+        
+```
+## Sample workflow that uses Azure login action using OIDC to run az cli (Linux)
+
+```yaml
+# File: .github/workflows/OIDC_workflow.yml
+
+name: Run Azure Login with OIDC
+on: [push]
+
+permissions:
+      id-token: write
+      contents: read
+jobs: 
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Az CLI login'
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+  
+      - name: 'Run az commands'
+        run: |
+          az account show
+          az group list
+          pwd 
+```
+Users can also specify `audience` field for access-token in the input parameters of the action. If not specified, it is defaulted to `api://AzureADTokenExchange`. This action supports login az powershell as well for both windows and linux runners by setting an input parameter `enable-AzPSSession: true`. Below is the sample workflow for the same using the windows runner. Please note that powershell login is not supported in Macos runners.
+
+## Sample workflow that uses Azure login action using OIDC to run az PowerShell (Windows)
+
+```yaml
+# File: .github/workflows/OIDC_workflow.yml
+
+name: Run Azure Login with OIDC
+on: [push]
+
+permissions:
+      id-token: write
+      contents: read
+      
+jobs: 
+  Windows-latest:
+      runs-on: windows-latest
+      steps:
+        - name: OIDC Login to Azure Public Cloud with AzPowershell (enableAzPSSession true)
+          uses: azure/login@v1
+          with:
+            client-id: ${{ secrets.AZURE_CLIENT_ID }}
+            tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+            subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} 
+            enable-AzPSSession: true
+
+        - name: 'Get RG with powershell action'
+          uses: azure/powershell@v1
+          with:
+             inlineScript: |
+               Get-AzResourceGroup
+             azPSVersion: "latest"
+
+```
+
+Refer [Azure PowerShell](https://github.com/azure/powershell) Github action to run your Azure PowerShell scripts.
+
+## Sample to connect to Azure US Government cloud
+
+```yaml
+    - name: Login to Azure US Gov Cloud with CLI
+      uses: azure/login@v1
+      with:
+        creds: ${{ secrets.AZURE_US_GOV_CREDENTIALS }}
+        environment: 'AzureUSGovernment'
+        enable-AzPSSession: false
+    - name: Login to Azure US Gov Cloud with Az Powershell
+      uses: azure/login@v1
+      with:
+        creds: ${{ secrets.AZURE_US_GOV_CREDENTIALS }}
+        environment: 'AzureUSGovernment'
+        enable-AzPSSession: true
+```
+
+Refer to the [Azure PowerShell](https://github.com/azure/powershell) Github action to run your Azure PowerShell scripts.
+
+## Sample Azure Login workflow that to run az cli on Azure Stack Hub
+
+```yaml
+
+# File: .github/workflows/workflow.yml
+
+on: [push]
+
+name: AzureLoginSample
+
+jobs:
+
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: azure/login@v1
+      with:
+        creds: ${{ secrets.AZURE_CREDENTIALS }}
+        environment: 'AzureStack'
+
+    - run: |
+        az webapp list --query "[?state=='Running']"
+
+```
+Refer to the [Azure Stack Hub Login Action Tutorial](https://docs.microsoft.com/en-us/azure-stack/user/ci-cd-github-action-login-cli?view=azs-2008) for more detailed instructions.
+
+## Configure deployment credentials:
+  
+### Configure a service principal with a secret:
+
+For using any credentials like Azure Service Principal, Publish Profile etc add them as [secrets](https://help.github.com/en/articles/virtual-environments-for-github-actions#creating-and-using-secrets-encrypted-variables) in the GitHub repository and then use them in the workflow.
+
+
+Follow the steps to configure Azure Service Principal with a secret:
+  * Define a new secret under your repository settings, Add secret menu
+  * Store the output of the below [az cli](https://docs.microsoft.com/en-us/cli/azure/?view=azure-cli-latest) command as the value of secret variable, for example 'AZURE_CREDENTIALS'
+```bash  
+
+   az ad sp create-for-rbac --name "myApp" --role contributor \
+                            --scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group} \
+                            --sdk-auth
+                            
+  # Replace {subscription-id}, {resource-group} with the subscription, resource group details
+
+  # The command should output a JSON object similar to this:
+
+ 
+  {
+    "clientId": "<GUID>",
+    "clientSecret": "<STRING>",
+    "subscriptionId": "<GUID>",
+    "tenantId": "<GUID>",
+    "resourceManagerEndpointUrl": "<URL>"
+    (...)
+  }
+  
+```
+  * Now in the workflow file in your branch: `.github/workflows/workflow.yml` replace the secret in Azure login action with your secret (Refer to the example above)
+  * Note: The above `az ad sp create-for-rbac` command will give you the `--sdk-auth` deprecation warning. As we are working with CLI for this deprecation process, we strongly recommend users to use this `--sdk-auth` flag as the result dictionary output changes and not accepted by login action if `--sdk-auth` is not used.
+  * If you want to pass Subscription ID, Tenant ID, Client ID, and Client Secret as individual parameters instead of bundling them in a single JSON object (creds) to address the [security concerns](https://docs.github.com/en/actions/security-guides/encrypted-secrets) for Non-OIDC login, below snippet can help with the same. 
+```yaml
+  - uses: Azure/login@v1
+    with:
+      creds: '{"clientId":"${{ secrets.CLIENT_ID }}","clientSecret":"${{ secrets.CLIENT_SECRET }}","subscriptionId":"${{ secrets.SUBSCRIPTION_ID }}","tenantId":"${{ secrets.TENANT_ID }}"}'
+```
+In a similar way, any additional parameter can be added to creds such as resourceManagerEndpointUrl for Azure Stack, for example.
+
+### Manually creating the Credentials object
+
+If you already created and assigned a Service Principal in Azure you can manually create the .json object above by finding the `clientId` and `clientSecret` on the Service Principal, and your `subscriptionId` and `tenantId` of the subscription and tenant respectively. The `resourceManagerEndpointUrl` will be `https://management.azure.com/` if you are using the public Azure cloud.
+
+### Configure a service principal with a Federated Credential to use OIDC based authentication:
+
+
+You can add federated credentials in the Azure portal or with the Microsoft Graph REST API.
+
+#### Azure portal
+1. [Register an application](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) in Azure Portal
+2. Within the registered application, Go to **Certificates & secrets**.  
+3. In the **Federated credentials** tab, select **Add credential**.  
+4. The **Add a credential** blade opens.
+5. In the **Federated credential scenario** box select **GitHub actions deploying Azure resources**.
+6. Specify the **Organization** and **Repository** for your GitHub Actions workflow which needs to access the Azure resources scoped by this App (Service Principal) 
+7. For **Entity type**, select **Environment**, **Branch**, **Pull request**, or **Tag** and specify the value, based on how you have configured the trigger for your GitHub workflow. For a more detailed overview, see [GitHub OIDC guidance]( https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#defining-[…]dc-claims). 
+8. Add a **Name** for the federated credential.
+9. Click **Add** to configure the federated credential.
+10. Make sure the above created application has the `contributor` access to the provided subscription. Visit [role-based-access-control](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current#prerequisites) for more details.
+
+For a more detailed overview, see more guidance around [Azure Federated Credentials](https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation-create-trust-github). 
+
+#### Microsoft Graph
+
+1. Launch [Azure Cloud Shell](https://portal.azure.com/#cloudshell/) and sign in to your tenant.
+1. Create a federated identity credential
+
+    Run the following command to [create a new federated identity credential](https://docs.microsoft.com/en-us/graph/api/application-post-federatedidentitycredentials?view=graph-rest-beta&preserve-view=true) on your app (specified by the object ID of the app). Substitute the values `APPLICATION-OBJECT-ID`, `CREDENTIAL-NAME`, `SUBJECT`. The options for subject refer to your request filter. These are the conditions that OpenID Connect uses to determine when to issue an authentication token.  
+    * specific environment
+        ```azurecli
+        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:octo-org/octo-repo:environment:Production","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
+        ```
+    * pull_request events
+       ```azurecli
+        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:octo-org/octo-repo:pull_request","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
+        ```
+    * specific branch
+       ```azurecli
+        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:octo-org/octo-repo:ref:refs/heads/{Branch}","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
+        ```
+    * specific tag
+       ```azurecli
+        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:octo-org/octo-repo:ref:refs/heads/{Tag}","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
+        ```
+
+## Support for using `allow-no-subscriptions` flag with az login
+
+Capability has been added to support access to tenants without subscriptions for both OIDC and non-OIDC. This can be useful to run tenant level commands, such as `az ad`. The action accepts an optional parameter `allow-no-subscriptions` which is `false` by default.
+
+```yaml
+# File: .github/workflows/workflow.yml
+
+on: [push]
+
+name: AzureLoginWithNoSubscriptions
+
+jobs:
+
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    steps:
+
+    - uses: azure/login@v1
+      with:
+        creds: ${{ secrets.AZURE_CREDENTIALS }}
+        allow-no-subscriptions: true
+```
+## Az logout and security hardening
+
+This action doesn't implement ```az logout``` by default at the end of execution. However there is no way of tampering the credentials or account information because the github hosted runner is on a VM that will get reimaged for every customer run which gets everything deleted. But if the runner is self-hosted which is not github provided it is recommended to manually logout at the end of the workflow as shown below. More details on security of the runners can be found [here](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#hardening-for-self-hosted-runners).
+```
+- name: Azure CLI script
+  uses: azure/CLI@v1
+  with:
+    inlineScript: |
+      az logout
+      az cache purge
+      az account clear
+```
+## Az CLI dependency
+Internally in this action, we use azure CLI and execute `az login` with the credentials provided through secrets. In order to validate the new az CLI releases for this action, [canary test workflow](.github/workflows/azure-login-canary.yml) is written which will execute the action on [az CLI's edge build](https://github.com/Azure/azure-cli#edge-builds) which will fail incase of any breaking change is being introduced in the new upcoming release. The test results can be posted on a slack or teams channel using the corresponding integrations. Incase of a failure, the concern will be raised to [azure-cli](https://github.com/Azure/azure-cli) for taking a necessary action and also the latest CLI installation will be postponed in [Runner VMs](https://github.com/actions/virtual-environments) as well for hosted runner to prevent the workflows failing due to the new CLI changes.
+# Contributing
+
+This project welcomes contributions and suggestions.  Most contributions require you to agree to a
+Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
+the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
+
+When you submit a pull request, a CLA bot will automatically determine whether you need to provide
+a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions
+provided by the bot. You will only need to do this once across all repos using our CLA.
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
+contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.

__tests__/PowerShell/ServicePrinicipalLogin.test.ts

@@ -5,7 +5,7 @@ jest.mock('../../src/PowerShell/Utilities/PowerShellToolRunner');
 let spnlogin: ServicePrincipalLogin;
 
 beforeAll(() => {
-    spnlogin = new ServicePrincipalLogin("servicePrincipalID", "servicePrinicipalkey", "tenantId", "subscriptionId");
+    spnlogin = new ServicePrincipalLogin("servicePrincipalID", "servicePrinicipalkey", null, "tenantId", "subscriptionId", false, null, null);
 });
 
 afterEach(() => {

__tests__/PowerShell/Utilities/ScriptBuilder.test.ts

@@ -0,0 +1,25 @@
+import ScriptBuilder from "../../../src/PowerShell/Utilities/ScriptBuilder";
+import Constants from "../../../src/PowerShell/Constants";
+
+describe("Getting AzLogin PS script" , () => {
+    const scheme = Constants.ServicePrincipal;
+    let args: any = {
+        servicePrincipalId: "service-principal-id",
+        servicePrincipalKey: "service-principal-key",
+        environment: "environment",
+        scopeLevel: Constants.Subscription,
+        subscriptionId: "subId",
+        allowNoSubscriptionsLogin: true
+    }
+
+    test("PS script should not set context while passing allowNoSubscriptionsLogin as true", () => {
+        const loginScript = new ScriptBuilder().getAzPSLoginScript(scheme, "tenant-id", args);
+        expect(loginScript.includes("Set-AzContext -SubscriptionId")).toBeFalsy();
+    });
+
+    test("PS script should set context while passing allowNoSubscriptionsLogin as false", () => {
+        args["allowNoSubscriptionsLogin"] = false;
+        const loginScript = new ScriptBuilder().getAzPSLoginScript(scheme, "tenant-id", args);
+        expect(loginScript.includes("Set-AzContext -SubscriptionId")).toBeTruthy();
+    });
+});

action.yml

@@ -4,14 +4,35 @@ description: 'Authenticate to Azure and run your Az CLI or Az
 inputs: 
   creds:
     description: 'Paste output of `az ad sp create-for-rbac` as value of secret variable: AZURE_CREDENTIALS'
-    required: true
+    required: false
+  client-id:
+    description: 'ClientId of the Azure Service principal created.'
+    required: false
+  tenant-id:
+    description: 'TenantId of the Azure Service principal created.'
+    required: false
+  subscription-id:
+    description: 'Azure subscriptionId'
+    required: false
   enable-AzPSSession: 
     description: 'Set this value to true to enable Azure PowerShell Login in addition to Az CLI login'
     required: false
     default: false
+  environment:
+    description: 'Name of the environment. Supported values are azurecloud, azurestack, azureusgovernment, azurechinacloud, azuregermancloud. Default being azurecloud'
+    required: false
+    default: azurecloud
+  allow-no-subscriptions:
+    description: 'Set this value to true to enable support for accessing tenants without subscriptions'
+    required: false
+    default: false
+  audience:
+    description: 'Provide audience field for access-token. Default value is api://AzureADTokenExchange' 
+    required: false
+    default: 'api://AzureADTokenExchange'
 branding:
   icon: 'login.svg'
   color: 'blue'
 runs:
-  using: 'node12'
-  main: 'lib/main.js'
+  using: 'node16'
+  main: 'lib/main.js'

lib/PowerShell/Constants.js

@@ -5,7 +5,7 @@ class Constants {
 exports.default = Constants;
 Constants.prefix = "az_";
 Constants.moduleName = "Az.Accounts";
-Constants.versionPattern = /[0-9]\.[0-9]\.[0-9]/;
+Constants.versionPattern = /[0-9]+\.[0-9]+\.[0-9]+/;
 Constants.AzureCloud = "AzureCloud";
 Constants.Subscription = "Subscription";
 Constants.ServicePrincipal = "ServicePrincipal";

lib/PowerShell/ServicePrincipalLogin.js

@@ -1,4 +1,23 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
 var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
     function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
@@ -8,28 +27,26 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
-    result["default"] = mod;
-    return result;
-};
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.ServicePrincipalLogin = void 0;
 const core = __importStar(require("@actions/core"));
 const Utils_1 = __importDefault(require("./Utilities/Utils"));
 const PowerShellToolRunner_1 = __importDefault(require("./Utilities/PowerShellToolRunner"));
 const ScriptBuilder_1 = __importDefault(require("./Utilities/ScriptBuilder"));
 const Constants_1 = __importDefault(require("./Constants"));
 class ServicePrincipalLogin {
-    constructor(servicePrincipalId, servicePrincipalKey, tenantId, subscriptionId) {
+    constructor(servicePrincipalId, servicePrincipalKey, federatedToken, tenantId, subscriptionId, allowNoSubscriptionsLogin, environment, resourceManagerEndpointUrl) {
         this.servicePrincipalId = servicePrincipalId;
         this.servicePrincipalKey = servicePrincipalKey;
+        this.federatedToken = federatedToken;
         this.tenantId = tenantId;
         this.subscriptionId = subscriptionId;
+        this.environment = environment;
+        this.resourceManagerEndpointUrl = resourceManagerEndpointUrl;
+        this.allowNoSubscriptionsLogin = allowNoSubscriptionsLogin;
     }
     initialize() {
         return __awaiter(this, void 0, void 0, function* () {
@@ -42,19 +59,30 @@ class ServicePrincipalLogin {
     login() {
         return __awaiter(this, void 0, void 0, function* () {
             let output = "";
+            let commandStdErr = false;
             const options = {
                 listeners: {
                     stdout: (data) => {
                         output += data.toString();
+                    },
+                    stderr: (data) => {
+                        let error = data.toString();
+                        if (error && error.trim().length !== 0) {
+                            commandStdErr = true;
+                            core.error(error);
+                        }
                     }
                 }
             };
             const args = {
                 servicePrincipalId: this.servicePrincipalId,
                 servicePrincipalKey: this.servicePrincipalKey,
+                federatedToken: this.federatedToken,
                 subscriptionId: this.subscriptionId,
-                environment: ServicePrincipalLogin.environment,
-                scopeLevel: ServicePrincipalLogin.scopeLevel
+                environment: this.environment,
+                scopeLevel: ServicePrincipalLogin.scopeLevel,
+                allowNoSubscriptionsLogin: this.allowNoSubscriptionsLogin,
+                resourceManagerEndpointUrl: this.resourceManagerEndpointUrl
             };
             const script = new ScriptBuilder_1.default().getAzPSLoginScript(ServicePrincipalLogin.scheme, this.tenantId, args);
             yield PowerShellToolRunner_1.default.init();
@@ -68,6 +96,5 @@ class ServicePrincipalLogin {
     }
 }
 exports.ServicePrincipalLogin = ServicePrincipalLogin;
-ServicePrincipalLogin.environment = Constants_1.default.AzureCloud;
 ServicePrincipalLogin.scopeLevel = Constants_1.default.Subscription;
 ServicePrincipalLogin.scheme = Constants_1.default.ServicePrincipal;

lib/PowerShell/Utilities/PowerShellToolRunner.js

@@ -1,4 +1,23 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
 var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
     function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
@@ -8,13 +27,6 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
-    result["default"] = mod;
-    return result;
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 const io = __importStar(require("@actions/io"));
 const exec = __importStar(require("@actions/exec"));
@@ -28,6 +40,7 @@ class PowerShellToolRunner {
     }
     static executePowerShellScriptBlock(scriptBlock, options = {}) {
         return __awaiter(this, void 0, void 0, function* () {
+            //Options for error handling
             yield exec.exec(`"${PowerShellToolRunner.psPath}" -Command`, [scriptBlock], options);
         });
     }

lib/PowerShell/Utilities/ScriptBuilder.js

@@ -1,9 +1,21 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
 var __importStar = (this && this.__importStar) || function (mod) {
     if (mod && mod.__esModule) return mod;
     var result = {};
-    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
-    result["default"] = mod;
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
     return result;
 };
 var __importDefault = (this && this.__importDefault) || function (mod) {
@@ -20,10 +32,21 @@ class ScriptBuilder {
         let command = `Clear-AzContext -Scope Process;
              Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue;`;
         if (scheme === Constants_1.default.ServicePrincipal) {
-            command += `Connect-AzAccount -ServicePrincipal -Tenant '${tenantId}' -Credential \
-            (New-Object System.Management.Automation.PSCredential('${args.servicePrincipalId}',(ConvertTo-SecureString '${args.servicePrincipalKey}' -AsPlainText -Force))) \
-                -Environment '${args.environment}' | out-null;`;
-            if (args.scopeLevel === Constants_1.default.Subscription) {
+            if (args.environment.toLowerCase() == "azurestack") {
+                command += `Add-AzEnvironment -Name ${args.environment} -ARMEndpoint ${args.resourceManagerEndpointUrl} | out-null;`;
+            }
+            // Separate command script for OIDC and non-OIDC
+            if (!!args.federatedToken) {
+                command += `Connect-AzAccount -ServicePrincipal -ApplicationId '${args.servicePrincipalId}' -Tenant '${tenantId}' -FederatedToken '${args.federatedToken}'  \
+                    -Environment '${args.environment}' | out-null;`;
+            }
+            else {
+                command += `Connect-AzAccount -ServicePrincipal -Tenant '${tenantId}' -Credential \
+                (New-Object System.Management.Automation.PSCredential('${args.servicePrincipalId}',(ConvertTo-SecureString '${args.servicePrincipalKey.replace("'", "''")}' -AsPlainText -Force))) \
+                    -Environment '${args.environment}' | out-null;`;
+            }
+            // command to set the subscription
+            if (args.scopeLevel === Constants_1.default.Subscription && !args.allowNoSubscriptionsLogin) {
                 command += `Set-AzContext -SubscriptionId '${args.subscriptionId}' -TenantId '${tenantId}' | out-null;`;
             }
         }

lib/PowerShell/Utilities/Utils.js

@@ -1,4 +1,23 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
 var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
     function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
@@ -8,13 +27,6 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
-    result["default"] = mod;
-    return result;
-};
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };

lib/main.js

@@ -1,90 +1,244 @@
-"use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
-    result["default"] = mod;
-    return result;
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-const core = __importStar(require("@actions/core"));
-const crypto = __importStar(require("crypto"));
-const exec = __importStar(require("@actions/exec"));
-const io = __importStar(require("@actions/io"));
-const actions_secret_parser_1 = require("actions-secret-parser");
-const ServicePrincipalLogin_1 = require("./PowerShell/ServicePrincipalLogin");
-var azPath;
-var prefix = !!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT}` : "";
-var azPSHostEnv = !!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT}` : "";
-function main() {
-    return __awaiter(this, void 0, void 0, function* () {
-        try {
-            // Set user agent variable
-            var isAzCLISuccess = false;
-            let usrAgentRepo = crypto.createHash('sha256').update(`${process.env.GITHUB_REPOSITORY}`).digest('hex');
-            let actionName = 'AzureLogin';
-            let userAgentString = (!!prefix ? `${prefix}+` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
-            let azurePSHostEnv = (!!azPSHostEnv ? `${azPSHostEnv}+` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
-            core.exportVariable('AZURE_HTTP_USER_AGENT', userAgentString);
-            core.exportVariable('AZUREPS_HOST_ENVIRONMENT', azurePSHostEnv);
-            azPath = yield io.which("az", true);
-            yield executeAzCliCommand("--version");
-            let creds = core.getInput('creds', { required: true });
-            let secrets = new actions_secret_parser_1.SecretParser(creds, actions_secret_parser_1.FormatType.JSON);
-            let servicePrincipalId = secrets.getSecret("$.clientId", false);
-            let servicePrincipalKey = secrets.getSecret("$.clientSecret", true);
-            let tenantId = secrets.getSecret("$.tenantId", false);
-            let subscriptionId = secrets.getSecret("$.subscriptionId", false);
-            const enableAzPSSession = core.getInput('enable-AzPSSession').toLowerCase() === "true";
-            if (!servicePrincipalId || !servicePrincipalKey || !tenantId || !subscriptionId) {
-                throw new Error("Not all values are present in the creds object. Ensure clientId, clientSecret, tenantId and subscriptionId are supplied.");
-            }
-            // Attempting Az cli login
-            yield executeAzCliCommand(`login --service-principal -u "${servicePrincipalId}" -p "${servicePrincipalKey}" --tenant "${tenantId}"`, true);
-            yield executeAzCliCommand(`account set --subscription "${subscriptionId}"`, true);
-            isAzCLISuccess = true;
-            if (enableAzPSSession) {
-                // Attempting Az PS login
-                console.log(`Running Azure PS Login`);
-                const spnlogin = new ServicePrincipalLogin_1.ServicePrincipalLogin(servicePrincipalId, servicePrincipalKey, tenantId, subscriptionId);
-                yield spnlogin.initialize();
-                yield spnlogin.login();
-            }
-            console.log("Login successful.");
-        }
-        catch (error) {
-            if (!isAzCLISuccess) {
-                core.error("Az CLI Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows");
-            }
-            else {
-                core.error(`Azure PowerShell Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"`);
-            }
-            core.setFailed(error);
-        }
-        finally {
-            // Reset AZURE_HTTP_USER_AGENT
-            core.exportVariable('AZURE_HTTP_USER_AGENT', prefix);
-            core.exportVariable('AZUREPS_HOST_ENVIRONMENT', azPSHostEnv);
-        }
-    });
-}
-function executeAzCliCommand(command, silent) {
-    return __awaiter(this, void 0, void 0, function* () {
-        try {
-            yield exec.exec(`"${azPath}" ${command}`, [], { silent: !!silent });
-        }
-        catch (error) {
-            throw new Error(error);
-        }
-    });
-}
-main();
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const core = __importStar(require("@actions/core"));
+const exec = __importStar(require("@actions/exec"));
+const io = __importStar(require("@actions/io"));
+const actions_secret_parser_1 = require("actions-secret-parser");
+const ServicePrincipalLogin_1 = require("./PowerShell/ServicePrincipalLogin");
+var azPath;
+var prefix = !!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT}` : "";
+var azPSHostEnv = !!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT}` : "";
+function main() {
+    return __awaiter(this, void 0, void 0, function* () {
+        try {
+            //Options for error handling
+            const loginOptions = {
+                silent: true,
+                listeners: {
+                    stderr: (data) => {
+                        let error = data.toString();
+                        let startsWithWarning = error.toLowerCase().startsWith('warning');
+                        let startsWithError = error.toLowerCase().startsWith('error');
+                        // printing ERROR
+                        if (error && error.trim().length !== 0 && !startsWithWarning) {
+                            if (startsWithError) {
+                                //removing the keyword 'ERROR' to avoid duplicates while throwing error
+                                error = error.slice(5);
+                            }
+                            core.setFailed(error);
+                        }
+                    }
+                }
+            };
+            // Set user agent variable
+            var isAzCLISuccess = false;
+            let usrAgentRepo = `${process.env.GITHUB_REPOSITORY}`;
+            let actionName = 'AzureLogin';
+            let userAgentString = (!!prefix ? `${prefix}+` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
+            let azurePSHostEnv = (!!azPSHostEnv ? `${azPSHostEnv}+` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
+            core.exportVariable('AZURE_HTTP_USER_AGENT', userAgentString);
+            core.exportVariable('AZUREPS_HOST_ENVIRONMENT', azurePSHostEnv);
+            azPath = yield io.which("az", true);
+            core.debug(`az cli version used: ${azPath}`);
+            let azureSupportedCloudName = new Set([
+                "azureusgovernment",
+                "azurechinacloud",
+                "azuregermancloud",
+                "azurecloud",
+                "azurestack"
+            ]);
+            let output = "";
+            const execOptions = {
+                listeners: {
+                    stdout: (data) => {
+                        output += data.toString();
+                    }
+                }
+            };
+            yield executeAzCliCommand("--version", true, execOptions);
+            core.debug(`az cli version used:\n${output}`);
+            let creds = core.getInput('creds', { required: false });
+            let secrets = creds ? new actions_secret_parser_1.SecretParser(creds, actions_secret_parser_1.FormatType.JSON) : null;
+            let environment = core.getInput("environment").toLowerCase();
+            const enableAzPSSession = core.getInput('enable-AzPSSession').toLowerCase() === "true";
+            const allowNoSubscriptionsLogin = core.getInput('allow-no-subscriptions').toLowerCase() === "true";
+            //Check for the credentials in individual parameters in the workflow.
+            var servicePrincipalId = core.getInput('client-id', { required: false });
+            var servicePrincipalKey = null;
+            var tenantId = core.getInput('tenant-id', { required: false });
+            var subscriptionId = core.getInput('subscription-id', { required: false });
+            var resourceManagerEndpointUrl = "https://management.azure.com/";
+            var enableOIDC = true;
+            var federatedToken = null;
+            // If any of the individual credentials (clent_id, tenat_id, subscription_id) is present.
+            if (servicePrincipalId || tenantId || subscriptionId) {
+                //If few of the individual credentials (clent_id, tenat_id, subscription_id) are missing in action inputs.
+                if (!(servicePrincipalId && tenantId && (subscriptionId || allowNoSubscriptionsLogin)))
+                    throw new Error("Few credentials are missing. ClientId, tenantId are mandatory. SubscriptionId is also mandatory if allow-no-subscriptions is not set.");
+            }
+            else {
+                if (creds) {
+                    core.debug('using creds JSON...');
+                    enableOIDC = false;
+                    servicePrincipalId = secrets.getSecret("$.clientId", true);
+                    servicePrincipalKey = secrets.getSecret("$.clientSecret", true);
+                    tenantId = secrets.getSecret("$.tenantId", true);
+                    subscriptionId = secrets.getSecret("$.subscriptionId", true);
+                    resourceManagerEndpointUrl = secrets.getSecret("$.resourceManagerEndpointUrl", false);
+                }
+                else {
+                    throw new Error("Credentials are not passed for Login action.");
+                }
+            }
+            //generic checks 
+            //servicePrincipalKey is only required in non-oidc scenario.
+            if (!servicePrincipalId || !tenantId || !(servicePrincipalKey || enableOIDC)) {
+                throw new Error("Not all values are present in the credentials. Ensure clientId, clientSecret and tenantId are supplied.");
+            }
+            if (!subscriptionId && !allowNoSubscriptionsLogin) {
+                throw new Error("Not all values are present in the credentials. Ensure subscriptionId is supplied.");
+            }
+            if (!azureSupportedCloudName.has(environment)) {
+                throw new Error("Unsupported value for environment is passed.The list of supported values for environment are ‘azureusgovernment', ‘azurechinacloud’, ‘azuregermancloud’, ‘azurecloud’ or ’azurestack’");
+            }
+            // OIDC specific checks
+            if (enableOIDC) {
+                console.log('Using OIDC authentication...');
+                try {
+                    //generating ID-token
+                    let audience = core.getInput('audience', { required: false });
+                    federatedToken = yield core.getIDToken(audience);
+                    if (!!federatedToken) {
+                        if (environment != "azurecloud")
+                            throw new Error(`Your current environment - "${environment}" is not supported for OIDC login.`);
+                        let [issuer, subjectClaim] = yield jwtParser(federatedToken);
+                        console.log("Federated token details: \n issuer - " + issuer + " \n subject claim - " + subjectClaim);
+                    }
+                }
+                catch (error) {
+                    core.error(`${error.message.split(':')[1]}. Please make sure to give write permissions to id-token in the workflow.`);
+                }
+            }
+            // Attempting Az cli login
+            if (environment == "azurestack") {
+                if (!resourceManagerEndpointUrl) {
+                    throw new Error("resourceManagerEndpointUrl is a required parameter when environment is defined.");
+                }
+                console.log(`Unregistering cloud: "${environment}" first if it exists`);
+                try {
+                    yield executeAzCliCommand(`cloud set -n AzureCloud`, true);
+                    yield executeAzCliCommand(`cloud unregister -n "${environment}"`, false);
+                }
+                catch (error) {
+                    console.log(`Ignore cloud not registered error: "${error}"`);
+                }
+                console.log(`Registering cloud: "${environment}" with ARM endpoint: "${resourceManagerEndpointUrl}"`);
+                try {
+                    let baseUri = resourceManagerEndpointUrl;
+                    if (baseUri.endsWith('/')) {
+                        baseUri = baseUri.substring(0, baseUri.length - 1); // need to remove trailing / from resourceManagerEndpointUrl to correctly derive suffixes below
+                    }
+                    let suffixKeyvault = ".vault" + baseUri.substring(baseUri.indexOf('.')); // keyvault suffix starts with .
+                    let suffixStorage = baseUri.substring(baseUri.indexOf('.') + 1); // storage suffix starts without .
+                    let profileVersion = "2019-03-01-hybrid";
+                    yield executeAzCliCommand(`cloud register -n "${environment}" --endpoint-resource-manager "${resourceManagerEndpointUrl}" --suffix-keyvault-dns "${suffixKeyvault}" --suffix-storage-endpoint "${suffixStorage}" --profile "${profileVersion}"`, false);
+                }
+                catch (error) {
+                    core.error(`Error while trying to register cloud "${environment}": "${error}"`);
+                }
+                console.log(`Done registering cloud: "${environment}"`);
+            }
+            yield executeAzCliCommand(`cloud set -n "${environment}"`, false);
+            console.log(`Done setting cloud: "${environment}"`);
+            // Attempting Az cli login
+            var commonArgs = ["--service-principal",
+                "-u", servicePrincipalId,
+                "--tenant", tenantId
+            ];
+            if (allowNoSubscriptionsLogin) {
+                commonArgs = commonArgs.concat("--allow-no-subscriptions");
+            }
+            if (enableOIDC) {
+                commonArgs = commonArgs.concat("--federated-token", federatedToken);
+            }
+            else {
+                console.log("Note: Azure/login action also supports OIDC login mechanism. Refer https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication for more details.");
+                commonArgs = commonArgs.concat("-p", servicePrincipalKey);
+            }
+            yield executeAzCliCommand(`login`, true, loginOptions, commonArgs);
+            if (!allowNoSubscriptionsLogin) {
+                var args = [
+                    "--subscription",
+                    subscriptionId
+                ];
+                yield executeAzCliCommand(`account set`, true, loginOptions, args);
+            }
+            isAzCLISuccess = true;
+            if (enableAzPSSession) {
+                // Attempting Az PS login
+                console.log(`Running Azure PS Login`);
+                var spnlogin;
+                spnlogin = new ServicePrincipalLogin_1.ServicePrincipalLogin(servicePrincipalId, servicePrincipalKey, federatedToken, tenantId, subscriptionId, allowNoSubscriptionsLogin, environment, resourceManagerEndpointUrl);
+                yield spnlogin.initialize();
+                yield spnlogin.login();
+            }
+            console.log("Login successful.");
+        }
+        catch (error) {
+            if (!isAzCLISuccess) {
+                core.setFailed("Az CLI Login failed. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows");
+            }
+            else {
+                core.setFailed(`Azure PowerShell Login failed. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"`);
+            }
+        }
+        finally {
+            // Reset AZURE_HTTP_USER_AGENT
+            core.exportVariable('AZURE_HTTP_USER_AGENT', prefix);
+            core.exportVariable('AZUREPS_HOST_ENVIRONMENT', azPSHostEnv);
+        }
+    });
+}
+function executeAzCliCommand(command, silent, execOptions = {}, args = []) {
+    return __awaiter(this, void 0, void 0, function* () {
+        execOptions.silent = !!silent;
+        yield exec.exec(`"${azPath}" ${command}`, args, execOptions);
+    });
+}
+function jwtParser(federatedToken) {
+    return __awaiter(this, void 0, void 0, function* () {
+        let tokenPayload = federatedToken.split('.')[1];
+        let bufferObj = Buffer.from(tokenPayload, "base64");
+        let decodedPayload = JSON.parse(bufferObj.toString("utf8"));
+        return [decodedPayload['iss'], decodedPayload['sub']];
+    });
+}
+main();

package.json

@@ -18,9 +18,10 @@
     "typescript": "^3.6.3"
   },
   "dependencies": {
-    "@actions/core": "^1.1.3",
+    "@actions/core": "1.6.0",
     "@actions/exec": "^1.0.1",
     "@actions/io": "^1.0.1",
-    "actions-secret-parser": "^1.0.2"
+    "actions-secret-parser": "^1.0.2",
+    "package-lock": "^1.0.3"
   }
 }

src/PowerShell/Constants.ts

@@ -1,7 +1,7 @@
 export default class Constants {
     static readonly prefix: string = "az_";
     static readonly moduleName: string = "Az.Accounts";
-    static readonly versionPattern = /[0-9]\.[0-9]\.[0-9]/;
+    static readonly versionPattern = /[0-9]+\.[0-9]+\.[0-9]+/;
 
     static readonly AzureCloud: string = "AzureCloud";
     static readonly Subscription: string = "Subscription";
@@ -10,4 +10,4 @@ export default class Constants {
     static readonly Success: string = "Success";
     static readonly Error: string = "Error";
     static readonly AzVersion: string = "AzVersion";
-}
+}

src/PowerShell/ServicePrincipalLogin.ts

@@ -6,19 +6,34 @@ import ScriptBuilder from './Utilities/ScriptBuilder';
 import Constants from './Constants';
 
 export class ServicePrincipalLogin implements IAzurePowerShellSession {
-    static readonly environment: string = Constants.AzureCloud;
     static readonly scopeLevel: string = Constants.Subscription;
     static readonly scheme: string = Constants.ServicePrincipal;
+    environment: string;
     servicePrincipalId: string;
     servicePrincipalKey: string;
     tenantId: string;
     subscriptionId: string;
+    resourceManagerEndpointUrl: string;
+    allowNoSubscriptionsLogin: boolean;
+    federatedToken: string;
+
+    constructor(servicePrincipalId: string,
+        servicePrincipalKey: string,
+        federatedToken: string,
+        tenantId: string,
+        subscriptionId: string,
+        allowNoSubscriptionsLogin: boolean,
+        environment: string,
+        resourceManagerEndpointUrl: string) {
 
-    constructor(servicePrincipalId: string, servicePrincipalKey: string, tenantId: string, subscriptionId: string) {
         this.servicePrincipalId = servicePrincipalId;
         this.servicePrincipalKey = servicePrincipalKey;
+        this.federatedToken = federatedToken;
         this.tenantId = tenantId;
         this.subscriptionId = subscriptionId;
+        this.environment = environment;
+        this.resourceManagerEndpointUrl = resourceManagerEndpointUrl;
+        this.allowNoSubscriptionsLogin = allowNoSubscriptionsLogin;
     }
 
     async initialize() {
@@ -30,19 +45,31 @@ export class ServicePrincipalLogin implements IAzurePowerShellSession {
 
     async login() {
         let output: string = "";
+        let commandStdErr = false;
         const options: any = {
             listeners: {
                 stdout: (data: Buffer) => {
                     output += data.toString();
+                },
+                stderr: (data: Buffer) => {
+                    let error = data.toString();
+                    if (error && error.trim().length !== 0)
+                    {
+                        commandStdErr = true;
+                        core.error(error);
+                    }
                 }
             }
         };
         const args: any = {
             servicePrincipalId: this.servicePrincipalId,
             servicePrincipalKey: this.servicePrincipalKey,
+            federatedToken: this.federatedToken,
             subscriptionId: this.subscriptionId,
-            environment: ServicePrincipalLogin.environment,
-            scopeLevel: ServicePrincipalLogin.scopeLevel
+            environment: this.environment,
+            scopeLevel: ServicePrincipalLogin.scopeLevel,
+            allowNoSubscriptionsLogin: this.allowNoSubscriptionsLogin,
+            resourceManagerEndpointUrl: this.resourceManagerEndpointUrl
         }
         const script: string = new ScriptBuilder().getAzPSLoginScript(ServicePrincipalLogin.scheme, this.tenantId, args);
         await PowerShellToolRunner.init();

src/PowerShell/Utilities/PowerShellToolRunner.ts

@@ -3,7 +3,6 @@ import * as exec from '@actions/exec';
 
 export default class PowerShellToolRunner {
     static psPath: string;
-
     static async init() {
         if(!PowerShellToolRunner.psPath) {
             PowerShellToolRunner.psPath = await io.which("pwsh", true);
@@ -11,6 +10,7 @@ export default class PowerShellToolRunner {
     }
 
     static async executePowerShellScriptBlock(scriptBlock: string, options: any = {}) {
+        //Options for error handling
         await exec.exec(`"${PowerShellToolRunner.psPath}" -Command`, [scriptBlock], options)
     }
 }

src/PowerShell/Utilities/ScriptBuilder.ts

@@ -8,14 +8,28 @@ export default class ScriptBuilder {
     getAzPSLoginScript(scheme: string, tenantId: string, args: any): string {
         let command = `Clear-AzContext -Scope Process;
              Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue;`;
+
         if (scheme === Constants.ServicePrincipal) {
-            command += `Connect-AzAccount -ServicePrincipal -Tenant '${tenantId}' -Credential \
-            (New-Object System.Management.Automation.PSCredential('${args.servicePrincipalId}',(ConvertTo-SecureString '${args.servicePrincipalKey}' -AsPlainText -Force))) \
-                -Environment '${args.environment}' | out-null;`;
-            if (args.scopeLevel === Constants.Subscription) {
+
+            if (args.environment.toLowerCase() == "azurestack") {
+                command += `Add-AzEnvironment -Name ${args.environment} -ARMEndpoint ${args.resourceManagerEndpointUrl} | out-null;`;
+            }
+            // Separate command script for OIDC and non-OIDC
+            if (!!args.federatedToken) {
+                command += `Connect-AzAccount -ServicePrincipal -ApplicationId '${args.servicePrincipalId}' -Tenant '${tenantId}' -FederatedToken '${args.federatedToken}'  \
+                    -Environment '${args.environment}' | out-null;`;
+            }
+            else {
+                command += `Connect-AzAccount -ServicePrincipal -Tenant '${tenantId}' -Credential \
+                (New-Object System.Management.Automation.PSCredential('${args.servicePrincipalId}',(ConvertTo-SecureString '${args.servicePrincipalKey.replace("'", "''")}' -AsPlainText -Force))) \
+                    -Environment '${args.environment}' | out-null;`;
+            }
+            // command to set the subscription
+            if (args.scopeLevel === Constants.Subscription && !args.allowNoSubscriptionsLogin) {
                 command += `Set-AzContext -SubscriptionId '${args.subscriptionId}' -TenantId '${tenantId}' | out-null;`;
             }
         }
+
         this.script += `try {
             $ErrorActionPreference = "Stop"
             $WarningPreference = "SilentlyContinue"
@@ -27,6 +41,7 @@ export default class ScriptBuilder {
             $output['${Constants.Error}'] = $_.exception.Message
         }
         return ConvertTo-Json $output`;
+
         core.debug(`Azure PowerShell Login Script: ${this.script}`);
         return this.script;
     }
@@ -48,4 +63,5 @@ export default class ScriptBuilder {
         core.debug(`GetLatestModuleScript: ${this.script}`);
         return this.script;
     }
-}
+
+}

src/main.ts

@@ -1,72 +1,239 @@
-import * as core from '@actions/core';
-import * as crypto from "crypto";
-import * as exec from '@actions/exec';
-import * as io from '@actions/io';
-
-import { FormatType, SecretParser } from 'actions-secret-parser';
-import { ServicePrincipalLogin } from './PowerShell/ServicePrincipalLogin';
-
-var azPath: string;
-var prefix = !!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT}` : "";
-var azPSHostEnv = !!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT}` : "";
-
-async function main() {
-    try {
-        // Set user agent variable
-        var isAzCLISuccess = false;
-        let usrAgentRepo = crypto.createHash('sha256').update(`${process.env.GITHUB_REPOSITORY}`).digest('hex');
-        let actionName = 'AzureLogin';
-        let userAgentString = (!!prefix ? `${prefix}+` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
-        let azurePSHostEnv = (!!azPSHostEnv ? `${azPSHostEnv}+` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
-        core.exportVariable('AZURE_HTTP_USER_AGENT', userAgentString);
-        core.exportVariable('AZUREPS_HOST_ENVIRONMENT', azurePSHostEnv);
-
-        azPath = await io.which("az", true);
-        await executeAzCliCommand("--version");
-
-        let creds = core.getInput('creds', { required: true });
-        let secrets = new SecretParser(creds, FormatType.JSON);
-        let servicePrincipalId = secrets.getSecret("$.clientId", false);
-        let servicePrincipalKey = secrets.getSecret("$.clientSecret", true);
-        let tenantId = secrets.getSecret("$.tenantId", false);
-        let subscriptionId = secrets.getSecret("$.subscriptionId", false);
-        const enableAzPSSession = core.getInput('enable-AzPSSession').toLowerCase() === "true";
-        if (!servicePrincipalId || !servicePrincipalKey || !tenantId || !subscriptionId) {
-            throw new Error("Not all values are present in the creds object. Ensure clientId, clientSecret, tenantId and subscriptionId are supplied.");
-        }
-        // Attempting Az cli login
-        await executeAzCliCommand(`login --service-principal -u "${servicePrincipalId}" -p "${servicePrincipalKey}" --tenant "${tenantId}"`, true);
-        await executeAzCliCommand(`account set --subscription "${subscriptionId}"`, true);
-        isAzCLISuccess = true;
-        if (enableAzPSSession) {
-            // Attempting Az PS login
-            console.log(`Running Azure PS Login`);
-            const spnlogin: ServicePrincipalLogin = new ServicePrincipalLogin(servicePrincipalId, servicePrincipalKey, tenantId, subscriptionId);
-            await spnlogin.initialize();
-            await spnlogin.login();
-        }
-        console.log("Login successful.");    
-    } catch (error) {
-        if (!isAzCLISuccess) {
-            core.error("Az CLI Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows");
-        } else {
-            core.error(`Azure PowerShell Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"`);
-        }
-        core.setFailed(error);
-    } finally {
-        // Reset AZURE_HTTP_USER_AGENT
-        core.exportVariable('AZURE_HTTP_USER_AGENT', prefix);
-        core.exportVariable('AZUREPS_HOST_ENVIRONMENT', azPSHostEnv);
-    }
-}
-
-async function executeAzCliCommand(command: string, silent?: boolean) {
-    try {
-        await exec.exec(`"${azPath}" ${command}`, [],  {silent: !!silent}); 
-    }
-    catch(error) {
-        throw new Error(error);
-    }
-}
-
+import * as core from '@actions/core';
+import * as exec from '@actions/exec';
+import { ExecOptions } from '@actions/exec/lib/interfaces';
+import * as io from '@actions/io';
+import { FormatType, SecretParser } from 'actions-secret-parser';
+import { ServicePrincipalLogin } from './PowerShell/ServicePrincipalLogin';
+
+var azPath: string;
+var prefix = !!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT}` : "";
+var azPSHostEnv = !!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT}` : "";
+
+async function main() {
+    try {
+        //Options for error handling
+        const loginOptions: ExecOptions = {
+            silent: true,
+            listeners: {
+                stderr: (data: Buffer) => {
+                    let error = data.toString();
+                    let startsWithWarning = error.toLowerCase().startsWith('warning');
+                    let startsWithError = error.toLowerCase().startsWith('error');
+                    // printing ERROR
+                    if (error && error.trim().length !== 0 && !startsWithWarning) {
+                        if(startsWithError) {
+                            //removing the keyword 'ERROR' to avoid duplicates while throwing error
+                            error = error.slice(5);
+                        }
+                        core.setFailed(error);
+                    }
+                }
+            }
+        }
+        // Set user agent variable
+        var isAzCLISuccess = false;
+        let usrAgentRepo = `${process.env.GITHUB_REPOSITORY}`;
+        let actionName = 'AzureLogin';
+        let userAgentString = (!!prefix ? `${prefix}+` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
+        let azurePSHostEnv = (!!azPSHostEnv ? `${azPSHostEnv}+` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
+        core.exportVariable('AZURE_HTTP_USER_AGENT', userAgentString);
+        core.exportVariable('AZUREPS_HOST_ENVIRONMENT', azurePSHostEnv);
+
+        azPath = await io.which("az", true);
+        core.debug(`az cli version used: ${azPath}`);
+        let azureSupportedCloudName = new Set([
+            "azureusgovernment",
+            "azurechinacloud",
+            "azuregermancloud",
+            "azurecloud",
+            "azurestack"]);
+
+        let output: string = "";
+        const execOptions: any = {
+            listeners: {
+                stdout: (data: Buffer) => {
+                    output += data.toString();
+                }
+            }
+        };
+        await executeAzCliCommand("--version", true, execOptions);
+        core.debug(`az cli version used:\n${output}`);
+
+        let creds = core.getInput('creds', { required: false });
+        let secrets = creds ? new SecretParser(creds, FormatType.JSON) : null;
+        let environment = core.getInput("environment").toLowerCase();
+        const enableAzPSSession = core.getInput('enable-AzPSSession').toLowerCase() === "true";
+        const allowNoSubscriptionsLogin = core.getInput('allow-no-subscriptions').toLowerCase() === "true";
+
+        //Check for the credentials in individual parameters in the workflow.
+        var servicePrincipalId = core.getInput('client-id', { required: false });
+        var servicePrincipalKey = null;
+        var tenantId = core.getInput('tenant-id', { required: false });
+        var subscriptionId = core.getInput('subscription-id', { required: false });
+        var resourceManagerEndpointUrl = "https://management.azure.com/";
+        var enableOIDC = true;
+        var federatedToken = null;
+
+        // If any of the individual credentials (clent_id, tenat_id, subscription_id) is present.
+        if (servicePrincipalId || tenantId || subscriptionId) {
+
+            //If few of the individual credentials (clent_id, tenat_id, subscription_id) are missing in action inputs.
+            if (!(servicePrincipalId && tenantId && (subscriptionId || allowNoSubscriptionsLogin)))
+                throw new Error("Few credentials are missing. ClientId, tenantId are mandatory. SubscriptionId is also mandatory if allow-no-subscriptions is not set.");
+        }
+        else {
+            if (creds) {
+                core.debug('using creds JSON...');
+                enableOIDC = false;
+                servicePrincipalId = secrets.getSecret("$.clientId", true);
+                servicePrincipalKey = secrets.getSecret("$.clientSecret", true);
+                tenantId = secrets.getSecret("$.tenantId", true);
+                subscriptionId = secrets.getSecret("$.subscriptionId", true);
+                resourceManagerEndpointUrl = secrets.getSecret("$.resourceManagerEndpointUrl", false);
+            }
+            else {
+                throw new Error("Credentials are not passed for Login action.");
+            }
+        }
+        //generic checks 
+        //servicePrincipalKey is only required in non-oidc scenario.
+        if (!servicePrincipalId || !tenantId || !(servicePrincipalKey || enableOIDC)) {
+            throw new Error("Not all values are present in the credentials. Ensure clientId, clientSecret and tenantId are supplied.");
+        }
+        if (!subscriptionId && !allowNoSubscriptionsLogin) {
+            throw new Error("Not all values are present in the credentials. Ensure subscriptionId is supplied.");
+        }
+        if (!azureSupportedCloudName.has(environment)) {
+            throw new Error("Unsupported value for environment is passed.The list of supported values for environment are ‘azureusgovernment', ‘azurechinacloud’, ‘azuregermancloud’, ‘azurecloud’ or ’azurestack’");
+        }
+
+        // OIDC specific checks
+        if (enableOIDC) {
+            console.log('Using OIDC authentication...')
+            try {
+                //generating ID-token
+                let audience = core.getInput('audience', { required: false });
+                federatedToken = await core.getIDToken(audience);
+                if (!!federatedToken) {
+                    if (environment != "azurecloud")
+                        throw new Error(`Your current environment - "${environment}" is not supported for OIDC login.`);
+                    let [issuer, subjectClaim] = await jwtParser(federatedToken);
+                    console.log("Federated token details: \n issuer - " + issuer + " \n subject claim - " + subjectClaim);
+                }
+            }
+            catch (error) {
+                core.error(`${error.message.split(':')[1]}. Please make sure to give write permissions to id-token in the workflow.`);
+            }
+        }
+
+        // Attempting Az cli login
+        if (environment == "azurestack") {
+            if (!resourceManagerEndpointUrl) {
+                throw new Error("resourceManagerEndpointUrl is a required parameter when environment is defined.");
+            }
+
+            console.log(`Unregistering cloud: "${environment}" first if it exists`);
+            try {
+                await executeAzCliCommand(`cloud set -n AzureCloud`, true);
+                await executeAzCliCommand(`cloud unregister -n "${environment}"`, false);
+            }
+            catch (error) {
+                console.log(`Ignore cloud not registered error: "${error}"`);
+            }
+
+            console.log(`Registering cloud: "${environment}" with ARM endpoint: "${resourceManagerEndpointUrl}"`);
+            try {
+                let baseUri = resourceManagerEndpointUrl;
+                if (baseUri.endsWith('/')) {
+                    baseUri = baseUri.substring(0, baseUri.length - 1); // need to remove trailing / from resourceManagerEndpointUrl to correctly derive suffixes below
+                }
+                let suffixKeyvault = ".vault" + baseUri.substring(baseUri.indexOf('.')); // keyvault suffix starts with .
+                let suffixStorage = baseUri.substring(baseUri.indexOf('.') + 1); // storage suffix starts without .
+                let profileVersion = "2019-03-01-hybrid";
+                await executeAzCliCommand(`cloud register -n "${environment}" --endpoint-resource-manager "${resourceManagerEndpointUrl}" --suffix-keyvault-dns "${suffixKeyvault}" --suffix-storage-endpoint "${suffixStorage}" --profile "${profileVersion}"`, false);
+            }
+            catch (error) {
+                core.error(`Error while trying to register cloud "${environment}": "${error}"`);
+            }
+
+            console.log(`Done registering cloud: "${environment}"`)
+        }
+
+        await executeAzCliCommand(`cloud set -n "${environment}"`, false);
+        console.log(`Done setting cloud: "${environment}"`);
+
+        // Attempting Az cli login
+        var commonArgs = ["--service-principal",
+            "-u", servicePrincipalId,
+            "--tenant", tenantId
+        ];
+        if (allowNoSubscriptionsLogin) {
+            commonArgs = commonArgs.concat("--allow-no-subscriptions");
+        }
+        if (enableOIDC) {
+            commonArgs = commonArgs.concat("--federated-token", federatedToken);
+        }
+        else {
+            console.log("Note: Azure/login action also supports OIDC login mechanism. Refer https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication for more details.")
+            commonArgs = commonArgs.concat("-p", servicePrincipalKey);
+        }
+        await executeAzCliCommand(`login`, true, loginOptions, commonArgs);
+
+        if (!allowNoSubscriptionsLogin) {
+            var args = [
+                "--subscription",
+                subscriptionId
+            ];
+            await executeAzCliCommand(`account set`, true, loginOptions, args);
+        }
+        isAzCLISuccess = true;
+        if (enableAzPSSession) {
+            // Attempting Az PS login
+            console.log(`Running Azure PS Login`);
+            var spnlogin: ServicePrincipalLogin;
+
+            spnlogin = new ServicePrincipalLogin(
+                servicePrincipalId,
+                servicePrincipalKey,
+                federatedToken,
+                tenantId,
+                subscriptionId,
+                allowNoSubscriptionsLogin,
+                environment,
+                resourceManagerEndpointUrl);
+            await spnlogin.initialize();
+            await spnlogin.login();
+        }
+
+        console.log("Login successful.");
+    }
+    catch (error) {
+        if (!isAzCLISuccess) {
+            core.setFailed("Az CLI Login failed. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows");
+        }
+        else {
+            core.setFailed(`Azure PowerShell Login failed. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"`);
+        }
+    }
+    finally {
+        // Reset AZURE_HTTP_USER_AGENT
+        core.exportVariable('AZURE_HTTP_USER_AGENT', prefix);
+        core.exportVariable('AZUREPS_HOST_ENVIRONMENT', azPSHostEnv);
+    }
+}
+
+async function executeAzCliCommand(
+    command: string,
+    silent?: boolean,
+    execOptions: any = {},
+    args: any = []) {
+    execOptions.silent = !!silent;
+    await exec.exec(`"${azPath}" ${command}`, args, execOptions);
+}
+async function jwtParser(federatedToken: string) {
+    let tokenPayload = federatedToken.split('.')[1];
+    let bufferObj = Buffer.from(tokenPayload, "base64");
+    let decodedPayload = JSON.parse(bufferObj.toString("utf8"));
+    return [decodedPayload['iss'], decodedPayload['sub']];
+}
 main();