Description
azd pipeline config fails to build OIDC subjects when the GitHub repository (or org) OIDC customization template includes the context claim key.
This was introduced in #7705 which added support for custom OIDC subject claims. The BuildOIDCSubject() function handles repository_owner_id, repository_id, repository_owner, and repository — but not context, which is a valid GitHub OIDC claim key.
cc @pamelafox who reported this issue when running azd pipeline config against a repo in an org that uses context in its OIDC template.
What is the context claim key?
Per GitHub docs, context represents the dynamic trailing part of the subject — the portion that follows the repository identifier in the default sub format. Its value depends on what triggered the workflow:
| Trigger |
context value |
| Branch push |
ref:refs/heads/main |
| Pull request |
pull_request |
| Environment job |
environment:production |
For example, ["repo", "context"] in include_claim_keys is GitHub's way of representing the default subject format: repo:org/repo:ref:refs/heads/main.
Reproduction
Given a repo whose OIDC customization API returns:
{
"use_default": false,
"include_claim_keys": ["repository_owner_id", "repository_id", "context"]
}Running azd pipeline config produces:
WARNING: Unable to build OIDC subjects from detected config: failed to build OIDC subject
for pull requests: unsupported OIDC claim key "context" in subject template for
<org>/<repo> — azd may need to be updated. Falling back to default format for manual entry.
In interactive mode, azd falls back to prompting with the default format subjects (e.g., repo:org/repo:ref:refs/heads/main), which are wrong for this org. The credential gets created with the wrong subject, and CI later fails with:
AADSTS700213: No matching federated identity record found for presented assertion subject
repository_owner_id:12345:repository_id:67890:ref:refs/heads/main.
The actual token GitHub emits has subject repository_owner_id:12345:repository_id:67890:ref:refs/heads/main, but the credential was created with repo:org/repo:ref:refs/heads/main.
Root Cause
In cli/azd/pkg/tools/github/oidc.go, BuildOIDCSubject() has a switch over known claim keys. The context key is missing:
for _, key := range oidcConfig.IncludeClaimKeys {
switch key {
case "repository_owner_id":
// ...
case "repository_id":
// ...
case "repository_owner":
// ...
case "repository":
// ...
default:
return "", fmt.Errorf("unsupported OIDC claim key %q ...", key, repoSlug)
}
}
parts = append(parts, suffix) // suffix is always appended at the endProposed Fix
Add a "context" case to the switch that appends the suffix parameter (which already contains the correct context value like ref:refs/heads/main or pull_request), and skip the unconditional suffix append at the end when context is present in the claim keys:
case "context":
parts = append(parts, suffix)Then guard the final parts = append(parts, suffix) to only run when context was not in the claim keys (to avoid duplicating the suffix).
Affected Organizations
Any GitHub org that includes context in their OIDC include_claim_keys template. This is common because ["repo", "context"] is GitHub's canonical way to represent the default format, and orgs that add ID-based keys (like repository_owner_id, repository_id) alongside context will hit this bug.
Description
azd pipeline configfails to build OIDC subjects when the GitHub repository (or org) OIDC customization template includes thecontextclaim key.This was introduced in #7705 which added support for custom OIDC subject claims. The
BuildOIDCSubject()function handlesrepository_owner_id,repository_id,repository_owner, andrepository— but notcontext, which is a valid GitHub OIDC claim key.cc @pamelafox who reported this issue when running
azd pipeline configagainst a repo in an org that usescontextin its OIDC template.What is the
contextclaim key?Per GitHub docs,
contextrepresents the dynamic trailing part of the subject — the portion that follows the repository identifier in the defaultsubformat. Its value depends on what triggered the workflow:contextvalueref:refs/heads/mainpull_requestenvironment:productionFor example,
["repo", "context"]ininclude_claim_keysis GitHub's way of representing the default subject format:repo:org/repo:ref:refs/heads/main.Reproduction
Given a repo whose OIDC customization API returns:
{ "use_default": false, "include_claim_keys": ["repository_owner_id", "repository_id", "context"] }Running
azd pipeline configproduces:In interactive mode, azd falls back to prompting with the default format subjects (e.g.,
repo:org/repo:ref:refs/heads/main), which are wrong for this org. The credential gets created with the wrong subject, and CI later fails with:The actual token GitHub emits has subject
repository_owner_id:12345:repository_id:67890:ref:refs/heads/main, but the credential was created withrepo:org/repo:ref:refs/heads/main.Root Cause
In
cli/azd/pkg/tools/github/oidc.go,BuildOIDCSubject()has a switch over known claim keys. Thecontextkey is missing:Proposed Fix
Add a
"context"case to the switch that appends thesuffixparameter (which already contains the correct context value likeref:refs/heads/mainorpull_request), and skip the unconditional suffix append at the end whencontextis present in the claim keys:Then guard the final
parts = append(parts, suffix)to only run whencontextwas not in the claim keys (to avoid duplicating the suffix).Affected Organizations
Any GitHub org that includes
contextin their OIDCinclude_claim_keystemplate. This is common because["repo", "context"]is GitHub's canonical way to represent the default format, and orgs that add ID-based keys (likerepository_owner_id,repository_id) alongsidecontextwill hit this bug.