Support Workload Identity Federation#2297
Open
mjcheetham wants to merge 2 commits intogit-ecosystem:mainfrom
Open
Support Workload Identity Federation#2297mjcheetham wants to merge 2 commits intogit-ecosystem:mainfrom
mjcheetham wants to merge 2 commits intogit-ecosystem:mainfrom
Conversation
mjcheetham
added
auth:microsoft
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
This comment was marked as spam.
This comment was marked as spam.
There was a problem hiding this comment.
Pull request overview
Adds support for Azure Repos authentication via Workload Identity Federation (WIF), enabling federated token exchange for Azure DevOps access tokens across multiple workload scenarios.
Changes:
- Added WIF handling to the Azure Repos host provider (generic assertion, Entra ID Managed Identity, GitHub Actions OIDC).
- Implemented WIF token acquisition flow in
MicrosoftAuthenticationand introducedMicrosoftWorkloadFederationOptions. - Documented new environment/config settings and added unit tests for the new scenarios.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| src/shared/Microsoft.AzureRepos/AzureReposHostProvider.cs | Adds WIF detection/config parsing and uses MSAL to acquire Azure DevOps tokens via federated assertions. |
| src/shared/Microsoft.AzureRepos/AzureDevOpsConstants.cs | Introduces env var and git config keys for WIF settings. |
| src/shared/Microsoft.AzureRepos.Tests/AzureReposHostProviderTests.cs | Adds tests for WIF scenarios (generic, file assertion, managed identity, GitHub Actions). |
| src/shared/Core/Constants.cs | Adds default WIF audience constant and GitHub Actions OIDC env var names. |
| src/shared/Core/Authentication/MicrosoftWorkloadFederationOptions.cs | New options object + scenario enum for WIF flows. |
| src/shared/Core/Authentication/MicrosoftAuthentication.cs | Implements federated confidential client flow + GitHub Actions OIDC token retrieval. |
| docs/environment.md | Documents new WIF-related environment variables. |
| docs/configuration.md | Documents new WIF-related git configuration settings. |
| docs/azrepos-wif.md | New conceptual + usage documentation for Azure Repos WIF. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
src/shared/Core/Authentication/MicrosoftWorkloadFederationOptions.cs
Outdated
Show resolved
Hide resolved
HarryGwinnell
approved these changes
Apr 8, 2026
HarryGwinnell
left a comment
HarryGwinnell
left a comment
There was a problem hiding this comment.
Looks good to me, just one super minor thing
mjcheetham
force-pushed
the
wif
branch
2 times, most recently
from
2a97804 to
0ab36ac
Compare
Add support for Workload Identity Federation (WIF) for Azure Repos. This enables users to authenticate to Azure Repos using federated tokens from Managed Identities, GitHub Actions, or generic identity providers. We support three scenarios: 1. Generic When you have a pre-obtained client assertion token from any external identity provider. You provide the assertion directly and GCM exchanges it for an access token. 2. Entra ID Managed Identities When your workload runs on an Azure resource that has a Managed Identity assigned. GCM will first request a token from the Managed Identity for the configured audience, then exchange that token for an Azure DevOps access token. 3. GitHub Actions When your workload runs in a GitHub Actions workflow. GCM will automatically obtain an OIDC token from the GitHub Actions runtime and exchange it for an Azure DevOps access token. Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add support for Workload Identity Federation (WIF) for Azure Repos. This enables users to authenticate to Azure Repos using federated tokens from Managed Identities, GitHub Actions, or generic identity providers.
We support three scenarios:
Generic
When you have a pre-obtained client assertion token from any external identity provider. You provide the assertion directly and GCM exchanges it for an access token.
Entra ID Managed Identities
When your workload runs on an Azure resource that has a Managed Identity assigned. GCM will first request a token from the Managed Identity for the configured audience, then exchange that token for an Azure DevOps access token.
GitHub Actions
When your workload runs in a GitHub Actions workflow. GCM will automatically obtain an OIDC token from the GitHub Actions runtime and exchange it for an Azure DevOps access token.
Rendered documentation