Azure Government OIDC login default audience fails

[jcantosz]

I ran into an issue with the OIDC audience used when I used a different environment. I expected the default audience of the environment to be used but instead it was always api://AzureADTokenExchange

I would like the action to set the default audience based on the environment (with a user-specified still value overriding it). If that is not feasible or desirable, I would like the documentation to more explicitly document the need to change the audience when not using commercial cloud.

I would be happy to contribute either of these changes if they would be valuable. For the former, we would need a list of each environment's default audiences

---

When I was using this to log in to Azure Government with OIDC, I set the following:

      - name: Azure login
        uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
          environment: 'AzureUSGovernment'

I expected this to work as is, with the environment setting up any defaults for Azure Government . The default audience when i created my federated id in Azure Government was something like: api://AzureADTokenExchangeUSGov, so I had to set that, like below:

      - name: Azure login
        uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
          environment: 'AzureUSGovernment'
          audience: api://AzureADTokenExchangeUSGov

[MoChilia]

Hi @jcantosz, this feature request sounds reasonable, but I couldn't find an official document listing the default exchange token audiences for different clouds. Could you share it with me?

[jcantosz]

Thank @MoChilia! I would bet that those default audiences would align to the Azure environments like those listed here (from the SDK). I could guess what they are 😆 , but I'll see if I can grab more details of each of those environments and see if its listed out somewhere

[jcantosz]

Sadly, the only other mention I see is this issue: AzureAD/microsoft-identity-web#2749
Where the 2 listed are: api://AzureADTokenExchangeUSGov, api://AzureADTokenExchangeChina. Docs change looks like the better route

[MoChilia]

Add an official document here that details the various audiences for non-public clouds for your reference.
https://review.learn.microsoft.com/en-us/identity/microsoft-identity-platform/federated-identity-credentials?branch=main&tabs=dotnet#first-party-apps

The api://AzureADTokenExchange audience is only available for public clouds. If you're using non-public clouds, the following values can be relied on instead:

• Fairfax: api://AzureADTokenExchangeUSGov
• Mooncake: api://AzureADTokenExchangeChina
• USNat: api://AzureADTokenExchangeUSNat
• USSec: api://AzureADTokenExchangeUSSec

If you use a non-public cloud, you'll also need to ensure that you are configuring the correct audience in your FIC settings when assigning the Managed Identity to your application.