AzurePowerShell idtoken sample (#67)

Author: geekzter

scripts/azure-devops/create-oidctoken.yml

@@ -118,7 +118,7 @@ jobs:
     workingDirectory: $(Build.ArtifactStagingDirectory)
 
   - task: AzureCLI@2
-    displayName: 'Inline script'
+    displayName: 'AzureCLI script'
     inputs:
       azureSubscription: '$(azureConnectionWIF)'
       scriptType: pscore
@@ -149,9 +149,53 @@ jobs:
                           -Method Post | Set-Variable oidcTokenResponse
 
         $oidcToken = $oidcTokenResponse.oidcToken
-        if ($oidcToken) {
-          Write-Host "idToken (masked):"
-          $oidcToken -replace '.','*' 
+        if ($oidcToken -match "^ey") {
+          Write-Host "REST API returned a JWT token"
+        } elseif ($oidcToken) {
+          throw "OIDC token in unexpected format"
+        } else {
+          throw "Failed to request OIDC token"
+        }
+      failOnStandardError: true
+      workingDirectory: $(Build.ArtifactStagingDirectory)
+
+  - task: AzurePowerShell@5
+    displayName: 'AzurePowerShell script'
+    inputs:
+      azurePowerShellVersion: LatestVersion
+      azureSubscription: '$(azureConnectionWIF)'
+      pwsh: true
+      scriptType: InlineScript
+      inline: |
+        Write-Host "Service Connection ID: ${env:AZURESUBSCRIPTION_SERVICE_CONNECTION_ID}"
+        Write-Host "Service Connection endpoint data:"
+        Get-ChildItem -Path Env: -Recurse `
+                                -Include AZURESUBSCRIPTION_*, SYSTEM_OIDC* `
+                                | Sort-Object -Property Name `
+                                | ForEach-Object { 
+                                    if ($_.Name -match 'SECRET|TOKEN') {
+                                      $_.Value = '***'
+                                    } 
+                                    $_
+                                  } `
+                                | Format-Table -HideTableHeaders -Property @{Expression='Name';Width=75}, @{Expression='Value';Width=175} -Wrap `
+                                | Out-String -Width 256
+
+        $oidcTokenUrl = "${env:SYSTEM_OIDCREQUESTURI}?api-version=7.1&serviceConnectionId=${env:AZURESUBSCRIPTION_SERVICE_CONNECTION_ID}"
+        Write-Host "oidcTokenUrl: $oidcTokenUrl"
+        
+        Invoke-RestMethod -Headers @{
+                            Authorization  = "Bearer $(System.AccessToken)"
+                            'Content-Type' = 'application/json'
+                          } `
+                          -Uri $oidcTokenUrl `
+                          -Method Post | Set-Variable oidcTokenResponse
+
+        $oidcToken = $oidcTokenResponse.oidcToken
+        if ($oidcToken -match "^ey") {
+          Write-Host "REST API returned a JWT token"
+        } elseif ($oidcToken) {
+          throw "OIDC token in unexpected format"
         } else {
           throw "Failed to request OIDC token"
         }
@@ -160,4 +204,4 @@ jobs:
 
   - publish: $(Build.ArtifactStagingDirectory)
     displayName: 'Publish json files'
-    artifact: $(azureConnectionWIF)
+    artifact: $(azureConnectionWIF)