wif: Add initial implementation of Workload Identity Federation

Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>

Author: mjcheetham

src/shared/Core/Authentication/MicrosoftAuthentication.cs

@@ -3,12 +3,14 @@
 using System.IO;
 using System.Linq;
 using System.Net.Http;
+using System.Net.Http.Json;
 using System.Security.Cryptography.X509Certificates;
 using System.Threading.Tasks;
 using GitCredentialManager.Interop.Windows.Native;
 using Microsoft.Identity.Client;
 using Microsoft.Identity.Client.Extensions.Msal;
 using System.Text;
+using System.Text.Json;
 using System.Threading;
 using GitCredentialManager.UI;
 using GitCredentialManager.UI.Controls;
@@ -63,6 +65,14 @@ Task<IMicrosoftAuthenticationResult> GetTokenForUserAsync(string authority, stri
         ///  - <c>"resource://{guid}"</c> - Use the user-assigned managed identity with resource ID <c>{guid}</c>.
         /// </remarks>
         Task<IMicrosoftAuthenticationResult> GetTokenForManagedIdentityAsync(string managedIdentity, string resource);
+
+        /// <summary>
+        /// Acquire a token using workload federation.
+        /// </summary>
+        /// <param name="fedOpts">An object containing configuration workload federation.</param>
+        /// <param name="scopes">Scopes to request.</param>
+        /// <returns>Authentication result including access token.</returns>
+        Task<IMicrosoftAuthenticationResult> GetTokenUsingWorkloadFederationAsync(MicrosoftWorkloadFederationOptions fedOpts, string[] scopes);
     }
 
     public class ServicePrincipalIdentity
@@ -287,7 +297,8 @@ public async Task<IMicrosoftAuthenticationResult> GetTokenForServicePrincipalAsy
             }
         }
 
-        public async Task<IMicrosoftAuthenticationResult> GetTokenForManagedIdentityAsync(string managedIdentity, string resource)
+        public async Task<IMicrosoftAuthenticationResult> GetTokenForManagedIdentityAsync(
+            string managedIdentity, string resource)
         {
             var httpFactoryAdaptor = new MsalHttpClientFactoryAdaptor(Context.HttpClientFactory);
 
@@ -306,8 +317,88 @@ public async Task<IMicrosoftAuthenticationResult> GetTokenForManagedIdentityAsyn
             {
                 Context.Trace.WriteLine(mid == ManagedIdentityId.SystemAssigned
                     ? "Failed to acquire token for system managed identity."
-                    : $"Failed to acquire token for user managed identity '{managedIdentity:D}'.");
+                    : $"Failed to acquire token for user managed identity '{managedIdentity}'.");
+                Context.Trace.WriteException(ex);
+                throw;
+            }
+        }
+
+        public async Task<IMicrosoftAuthenticationResult> GetTokenUsingWorkloadFederationAsync(MicrosoftWorkloadFederationOptions fedOpts, string[] scopes)
+        {
+            IConfidentialClientApplication app = await CreateConfidentialClientApplicationAsync(fedOpts);
+
+            AuthenticationResult result = await app.AcquireTokenForClient(scopes)
+              .ExecuteAsync()
+              .ConfigureAwait(false);
+
+            return new MsalResult(result);
+        }
+
+        private async Task<string> GetClientAssertion(MicrosoftWorkloadFederationOptions fedOpts, AssertionRequestOptions _)
+        {
+            switch (fedOpts.Scenario)
+            {
+                case MicrosoftWorkloadFederationScenario.Generic:
+                    Context.Trace.WriteLine("Getting client assertion for generic workload federation scenario...");
+                    if (string.IsNullOrWhiteSpace(fedOpts.GenericClientAssertion))
+                        throw new InvalidOperationException(
+                            "Client assertion must be provided for generic workload federation scenario.");
+                    return fedOpts.GenericClientAssertion;
+
+                case MicrosoftWorkloadFederationScenario.ManagedIdentity:
+                    Context.Trace.WriteLine("Getting client assertion for managed identity workload federation scenario...");
+                    var miResult = await GetTokenForManagedIdentityAsync(fedOpts.ManagedIdentityId, fedOpts.Audience);
+                    return miResult.AccessToken;
+
+                case MicrosoftWorkloadFederationScenario.GitHubActions:
+                    Context.Trace.WriteLine("Getting client assertion for GitHub Actions workload federation scenario...");
+                    return await GetGitHubOidcToken(fedOpts.GitHubTokenRequestUrl, fedOpts.Audience, fedOpts.GitHubTokenRequestToken);
+
+                default:
+                    throw new ArgumentOutOfRangeException(nameof(fedOpts.Scenario), fedOpts.Scenario, "Unsupported workload federation scenario.");
+            }
+        }
+
+        private async Task<string> GetGitHubOidcToken(Uri requestUri, string audience, string requestToken)
+        {
+            using HttpClient http = Context.HttpClientFactory.CreateClient();
+
+            UriBuilder ub = new UriBuilder(requestUri);
+            if (ub.Query.Length > 0) ub.Query += "&";
+            ub.Query += $"audience={Uri.EscapeDataString(audience)}";
+
+            using var request = new HttpRequestMessage(HttpMethod.Get, ub.Uri);
+            request.AddBearerAuthenticationHeader(requestToken);
+
+            Context.Trace.WriteLine($"Requesting GitHub OIDC token from '{request.RequestUri}'...");
+            Context.Trace.WriteLineSecrets("OIDC request token: {0}", new[] { requestToken });
+            using HttpResponseMessage response = await http.SendAsync(request);
+            if (!response.IsSuccessStatusCode)
+            {
+                string error = await response.Content.ReadAsStringAsync();
+                Context.Trace.WriteLine($"Failed to acquire GitHub OIDC token [{response.StatusCode:D} {response.StatusCode}]: {error}");
+                response.EnsureSuccessStatusCode();
+            }
+
+            string json = await response.Content.ReadAsStringAsync();
+
+            try
+            {
+                using JsonDocument jsonDoc = JsonDocument.Parse(json);
+                if (!jsonDoc.RootElement.TryGetProperty("value", out JsonElement tokenElement))
+                {
+                    throw new InvalidOperationException(
+                        "Invalid response from GitHub OIDC token endpoint: 'value' property not found.");
+                }
+
+                return tokenElement.GetString() ??
+                       throw new InvalidOperationException(
+                           "Invalid response from GitHub OIDC token endpoint: 'value' property is null.");
+            }
+            catch (Exception ex)
+            {
                 Context.Trace.WriteException(ex);
+                Context.Trace.WriteLine($"OIDC token response: {json}");
                 throw;
             }
         }
@@ -558,6 +649,24 @@ private async Task<IConfidentialClientApplication> CreateConfidentialClientAppli
             return app;
         }
 
+        private async Task<IConfidentialClientApplication> CreateConfidentialClientApplicationAsync(
+            MicrosoftWorkloadFederationOptions fedOpts)
+        {
+            var httpFactoryAdaptor = new MsalHttpClientFactoryAdaptor(Context.HttpClientFactory);
+
+            Context.Trace.WriteLine($"Creating federated confidential client application for {fedOpts.TenantId}/{fedOpts.ClientId}...");
+            var appBuilder = ConfidentialClientApplicationBuilder.Create(fedOpts.ClientId)
+                .WithTenantId(fedOpts.TenantId)
+                .WithHttpClientFactory(httpFactoryAdaptor)
+                .WithClientAssertion(reqOpts => GetClientAssertion(fedOpts, reqOpts));
+
+            IConfidentialClientApplication app = appBuilder.Build();
+
+            await RegisterTokenCacheAsync(app.AppTokenCache, CreateAppTokenCacheProps, Context.Trace2);
+
+            return app;
+        }
+
         #endregion
 
         #region Helpers

src/shared/Core/Authentication/MicrosoftWorkloadFederationOptions.cs

@@ -0,0 +1,75 @@
+using System;
+
+namespace GitCredentialManager.Authentication;
+
+public enum MicrosoftWorkloadFederationScenario
+{
+    /// <summary>
+    /// Federate via pre-computed client assertion.
+    /// </summary>
+    Generic,
+
+    /// <summary>
+    /// Federate via an access token for an Entra ID Managed Identity.
+    /// </summary>
+    ManagedIdentity,
+
+    /// <summary>
+    /// Federate via a GitHub Actions OIDC token.
+    /// </summary>
+    GitHubActions,
+}
+
+public class MicrosoftWorkloadFederationOptions
+{
+    public const string DefaultAudience = Constants.DefaultWorkloadFederationAudience;
+
+    /// <summary>
+    /// The workload federation scenario to use.
+    /// </summary>
+    public MicrosoftWorkloadFederationScenario Scenario { get; set; }
+
+    /// <summary>
+    /// Tenant ID of the identity to request an access token for.
+    /// </summary>
+    public string TenantId { get; set; }
+
+    /// <summary>
+    /// Client ID of the identity to request an access token for.
+    /// </summary>
+    public string ClientId { get; set; }
+
+    /// <summary>
+    /// The audience to use when requesting a token.
+    /// </summary>
+    /// <remarks>If this is null, the default audience <see cref="DefaultAudience"/> will be used.</remarks>
+    public string Audience
+    {
+        get;
+        set => field = value ?? DefaultAudience;
+    } = DefaultAudience;
+
+    /// <summary>
+    /// Generic assertion.
+    /// </summary>
+    /// <remarks>Used with the <see cref="MicrosoftWorkloadFederationScenario.Generic"/> federation scenario.</remarks>
+    public string GenericClientAssertion { get; set; }
+
+    /// <summary>
+    /// The managed identity to request a federated token for, to exchange for an access token.
+    /// </summary>
+    /// <remarks>Used with the <see cref="MicrosoftWorkloadFederationScenario.ManagedIdentity"/> federation scenario.</remarks>
+    public string ManagedIdentityId { get; set; }
+
+    /// <summary>
+    /// GitHub Actions OIDC token request URI.
+    /// </summary>
+    /// <remarks>Used with the <see cref="MicrosoftWorkloadFederationScenario.GitHubActions"/> federation scenario.</remarks>
+    public Uri GitHubTokenRequestUrl { get; set; }
+
+    /// <summary>
+    /// GitHub Actions OIDC token request token.
+    /// </summary>
+    /// <remarks>Used with the <see cref="MicrosoftWorkloadFederationScenario.GitHubActions"/> federation scenario.</remarks>
+    public string GitHubTokenRequestToken { get; set; }
+}

src/shared/Core/Constants.cs

@@ -31,6 +31,8 @@ public static class Constants
         /// </summary>
         public static readonly Guid MsaTransferTenantId = new("f8cdef31-a31e-4b4a-93e4-5f571e91255a");
 
+        public const string DefaultWorkloadFederationAudience = "api://AzureADTokenExchange";
+
         public static class CredentialProtocol
         {
             public const string NtlmKey = "ntlm";
@@ -130,6 +132,9 @@ public static class EnvironmentVariables
             public const string GcmDevUseLegacyUiHelpers = "GCM_DEV_USELEGACYUIHELPERS";
             public const string GcmGuiSoftwareRendering  = "GCM_GUI_SOFTWARE_RENDERING";
             public const string GcmAllowUnsafeRemotes    = "GCM_ALLOW_UNSAFE_REMOTES";
+
+            public const string GitHubActionsTokenRequestUrl = "ACTIONS_ID_TOKEN_REQUEST_URL";
+            public const string GitHubActionsTokenRequestToken = "ACTIONS_ID_TOKEN_REQUEST_TOKEN";
         }
 
         public static class Http