fix(github): use API-resolved org login for OIDC subject claims#135
Open
DanielBoring wants to merge 1 commit intoAzure:mainfrom
Open
fix(github): use API-resolved org login for OIDC subject claims#135DanielBoring wants to merge 1 commit intoAzure:mainfrom
DanielBoring wants to merge 1 commit intoAzure:mainfrom
Conversation
Use data.github_organization.alz.login instead of var.organization_name when constructing OIDC subject claims for federated credentials. This preserves exact org casing in the repo: segment to match GitHub token assertions and avoid AADSTS7002138 case-sensitive matching failures. Also lower-case the org in job_workflow_ref template composition to align with observed GitHub token behavior for reusable workflow refs.
github-project-automation
Bot
moved this to To triage
in Azure Landing Zone Issues & PRs Triage
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
TL;DR
Hi Team!! I found this issue while using Deploy-Accelerator and wanted to submit the fix I found. This PR fixes GitHub OIDC federated credential subject casing mismatches that can cause
AADSTS7002138after Entra case-sensitive matching enforcement.The module previously built subject claims from raw user input (
var.organization_name), which can differ from GitHub’s canonical org login casing.This change uses
data.github_organization.alz.loginfor therepo:segment and useslower(data.github_organization.alz.login)for thejob_workflow_reforg segment.Result: future bootstrap deployments generate subject claims that match runtime GitHub token assertions for the org casing scenario you hit.
Detailed Notes
Problem
Entra (Azure AD) now enforces case-sensitive matching on federated credential subjects.
The bootstrap GitHub module generated subject claims using user-entered org name casing, which can differ from GitHub’s canonical org login casing used in OIDC assertions.
Observed failure:
AADSTS7002138: No matching federated identity record found for presented assertion subjectImpact
If org casing in inputs differs from GitHub canonical login casing, GitHub Actions authentication to Azure can fail for plan/apply workflows that rely on workload identity federation.
Root Cause
Subject claims were composed from:
var.organization_name(raw user input)instead of:
data.github_organization.alz.login(provider/API-resolved canonical org login)What Changed
File changed:
Code updates:
template_claim_structurenow uses:lower(data.github_organization.alz.login)subject(repo:segment) now uses:data.github_organization.alz.loginWhy This Fix
Validation Performed
Risk / Compatibility
Operational Note for Existing Deployments
This PR prevents future incorrect subject generation.
Already-deployed credentials with wrong subject values may still require delete + recreate to ensure Entra-side propagation, as documented in incident notes.
Reference
AADSTS7002138