wif: Add implementation of Workload Identity Federation for AzRepos

Add support for Workload Identity Federation (WIF) for Azure Repos.
This enables users to authenticate to Azure Repos using federated
tokens from Managed Identities, GitHub Actions, or generic identity
providers.

We support three scenarios:

1. Generic
   When you have a pre-obtained client assertion token from any
   external identity provider. You provide the assertion directly and
   GCM exchanges it for an access token.

2. Entra ID Managed Identities
   When your workload runs on an Azure resource that has a Managed
   Identity assigned. GCM will first request a token from the Managed
   Identity for the configured audience, then exchange that token for
   an Azure DevOps access token.

3. GitHub Actions
   When your workload runs in a GitHub Actions workflow. GCM will
   automatically obtain an OIDC token from the GitHub Actions runtime
   and exchange it for an Azure DevOps access token.

Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>

Author: mjcheetham

src/shared/Core/Authentication/MicrosoftAuthentication.cs

@@ -9,6 +9,7 @@
 using Microsoft.Identity.Client;
 using Microsoft.Identity.Client.Extensions.Msal;
 using System.Text;
+using System.Text.Json;
 using System.Threading;
 using GitCredentialManager.UI;
 using GitCredentialManager.UI.Controls;
@@ -63,6 +64,14 @@ Task<IMicrosoftAuthenticationResult> GetTokenForUserAsync(string authority, stri
         ///  - <c>"resource://{guid}"</c> - Use the user-assigned managed identity with resource ID <c>{guid}</c>.
         /// </remarks>
         Task<IMicrosoftAuthenticationResult> GetTokenForManagedIdentityAsync(string managedIdentity, string resource);
+
+        /// <summary>
+        /// Acquire a token using workload federation.
+        /// </summary>
+        /// <param name="fedOpts">An object containing configuration workload federation.</param>
+        /// <param name="scopes">Scopes to request.</param>
+        /// <returns>Authentication result including access token.</returns>
+        Task<IMicrosoftAuthenticationResult> GetTokenUsingWorkloadFederationAsync(MicrosoftWorkloadFederationOptions fedOpts, string[] scopes);
     }
 
     public class ServicePrincipalIdentity
@@ -287,7 +296,8 @@ public async Task<IMicrosoftAuthenticationResult> GetTokenForServicePrincipalAsy
             }
         }
 
-        public async Task<IMicrosoftAuthenticationResult> GetTokenForManagedIdentityAsync(string managedIdentity, string resource)
+        public async Task<IMicrosoftAuthenticationResult> GetTokenForManagedIdentityAsync(
+            string managedIdentity, string resource)
         {
             var httpFactoryAdaptor = new MsalHttpClientFactoryAdaptor(Context.HttpClientFactory);
 
@@ -306,8 +316,88 @@ public async Task<IMicrosoftAuthenticationResult> GetTokenForManagedIdentityAsyn
             {
                 Context.Trace.WriteLine(mid == ManagedIdentityId.SystemAssigned
                     ? "Failed to acquire token for system managed identity."
-                    : $"Failed to acquire token for user managed identity '{managedIdentity:D}'.");
+                    : $"Failed to acquire token for user managed identity '{managedIdentity}'.");
+                Context.Trace.WriteException(ex);
+                throw;
+            }
+        }
+
+        public async Task<IMicrosoftAuthenticationResult> GetTokenUsingWorkloadFederationAsync(MicrosoftWorkloadFederationOptions fedOpts, string[] scopes)
+        {
+            IConfidentialClientApplication app = await CreateConfidentialClientApplicationAsync(fedOpts);
+
+            AuthenticationResult result = await app.AcquireTokenForClient(scopes)
+              .ExecuteAsync()
+              .ConfigureAwait(false);
+
+            return new MsalResult(result);
+        }
+
+        private async Task<string> GetClientAssertion(MicrosoftWorkloadFederationOptions fedOpts, AssertionRequestOptions _)
+        {
+            switch (fedOpts.Scenario)
+            {
+                case MicrosoftWorkloadFederationScenario.Generic:
+                    Context.Trace.WriteLine("Getting client assertion for generic workload federation scenario...");
+                    if (string.IsNullOrWhiteSpace(fedOpts.GenericClientAssertion))
+                        throw new InvalidOperationException(
+                            "Client assertion must be provided for generic workload federation scenario.");
+                    return fedOpts.GenericClientAssertion;
+
+                case MicrosoftWorkloadFederationScenario.ManagedIdentity:
+                    Context.Trace.WriteLine("Getting client assertion for managed identity workload federation scenario...");
+                    var miResult = await GetTokenForManagedIdentityAsync(fedOpts.ManagedIdentityId, fedOpts.Audience);
+                    return miResult.AccessToken;
+
+                case MicrosoftWorkloadFederationScenario.GitHubActions:
+                    Context.Trace.WriteLine("Getting client assertion for GitHub Actions workload federation scenario...");
+                    return await GetGitHubOidcToken(fedOpts.GitHubTokenRequestUrl, fedOpts.Audience, fedOpts.GitHubTokenRequestToken);
+
+                default:
+                    throw new ArgumentOutOfRangeException(nameof(fedOpts.Scenario), fedOpts.Scenario, "Unsupported workload federation scenario.");
+            }
+        }
+
+        private async Task<string> GetGitHubOidcToken(Uri requestUri, string audience, string requestToken)
+        {
+            using HttpClient http = Context.HttpClientFactory.CreateClient();
+
+            UriBuilder ub = new UriBuilder(requestUri);
+            if (ub.Query.Length > 0) ub.Query += "&";
+            ub.Query += $"audience={Uri.EscapeDataString(audience)}";
+
+            using var request = new HttpRequestMessage(HttpMethod.Get, ub.Uri);
+            request.AddBearerAuthenticationHeader(requestToken);
+
+            Context.Trace.WriteLine($"Requesting GitHub OIDC token from '{request.RequestUri}'...");
+            Context.Trace.WriteLineSecrets("OIDC request token: {0}", new[] { requestToken });
+            using HttpResponseMessage response = await http.SendAsync(request);
+            if (!response.IsSuccessStatusCode)
+            {
+                string error = await response.Content.ReadAsStringAsync();
+                Context.Trace.WriteLine($"Failed to acquire GitHub OIDC token [{response.StatusCode:D} {response.StatusCode}]: {error}");
+                response.EnsureSuccessStatusCode();
+            }
+
+            string json = await response.Content.ReadAsStringAsync();
+
+            try
+            {
+                using JsonDocument jsonDoc = JsonDocument.Parse(json);
+                if (!jsonDoc.RootElement.TryGetProperty("value", out JsonElement tokenElement))
+                {
+                    throw new InvalidOperationException(
+                        "Invalid response from GitHub OIDC token endpoint: 'value' property not found.");
+                }
+
+                return tokenElement.GetString() ??
+                       throw new InvalidOperationException(
+                           "Invalid response from GitHub OIDC token endpoint: 'value' property is null.");
+            }
+            catch (Exception ex)
+            {
                 Context.Trace.WriteException(ex);
+                Context.Trace.WriteLine($"OIDC token response: {json}");
                 throw;
             }
         }
@@ -558,6 +648,24 @@ private async Task<IConfidentialClientApplication> CreateConfidentialClientAppli
             return app;
         }
 
+        private async Task<IConfidentialClientApplication> CreateConfidentialClientApplicationAsync(
+            MicrosoftWorkloadFederationOptions fedOpts)
+        {
+            var httpFactoryAdaptor = new MsalHttpClientFactoryAdaptor(Context.HttpClientFactory);
+
+            Context.Trace.WriteLine($"Creating federated confidential client application for {fedOpts.TenantId}/{fedOpts.ClientId}...");
+            var appBuilder = ConfidentialClientApplicationBuilder.Create(fedOpts.ClientId)
+                .WithTenantId(fedOpts.TenantId)
+                .WithHttpClientFactory(httpFactoryAdaptor)
+                .WithClientAssertion(reqOpts => GetClientAssertion(fedOpts, reqOpts));
+
+            IConfidentialClientApplication app = appBuilder.Build();
+
+            await RegisterTokenCacheAsync(app.AppTokenCache, CreateAppTokenCacheProps, Context.Trace2);
+
+            return app;
+        }
+
         #endregion
 
         #region Helpers

src/shared/Core/Authentication/MicrosoftWorkloadFederationOptions.cs

@@ -0,0 +1,77 @@
+using System;
+
+namespace GitCredentialManager.Authentication;
+
+public enum MicrosoftWorkloadFederationScenario
+{
+    /// <summary>
+    /// Federate via pre-computed client assertion.
+    /// </summary>
+    Generic,
+
+    /// <summary>
+    /// Federate via an access token for an Entra ID Managed Identity.
+    /// </summary>
+    ManagedIdentity,
+
+    /// <summary>
+    /// Federate via a GitHub Actions OIDC token.
+    /// </summary>
+    GitHubActions,
+}
+
+public class MicrosoftWorkloadFederationOptions
+{
+    public const string DefaultAudience = Constants.DefaultWorkloadFederationAudience;
+
+    private string _audience = DefaultAudience;
+
+    /// <summary>
+    /// The workload federation scenario to use.
+    /// </summary>
+    public MicrosoftWorkloadFederationScenario Scenario { get; set; }
+
+    /// <summary>
+    /// Tenant ID of the identity to request an access token for.
+    /// </summary>
+    public string TenantId { get; set; }
+
+    /// <summary>
+    /// Client ID of the identity to request an access token for.
+    /// </summary>
+    public string ClientId { get; set; }
+
+    /// <summary>
+    /// The audience to use when requesting a token.
+    /// </summary>
+    /// <remarks>If this is null, the default audience <see cref="DefaultAudience"/> will be used.</remarks>
+    public string Audience
+    {
+        get => _audience;
+        set => _audience = value ?? DefaultAudience;
+    }
+
+    /// <summary>
+    /// Generic assertion.
+    /// </summary>
+    /// <remarks>Used with the <see cref="MicrosoftWorkloadFederationScenario.Generic"/> federation scenario.</remarks>
+    public string GenericClientAssertion { get; set; }
+
+    /// <summary>
+    /// The managed identity to request a federated token for, to exchange for an access token.
+    /// </summary>
+    /// <remarks>Used with the <see cref="MicrosoftWorkloadFederationScenario.ManagedIdentity"/> federation scenario.</remarks>
+    public string ManagedIdentityId { get; set; }
+
+    /// <summary>
+    /// GitHub Actions OIDC token request URI.
+    /// </summary>
+    /// <remarks>Used with the <see cref="MicrosoftWorkloadFederationScenario.GitHubActions"/> federation scenario.</remarks>
+    public Uri GitHubTokenRequestUrl { get; set; }
+
+    /// <summary>
+    /// GitHub Actions OIDC token request token.
+    /// </summary>
+    /// <remarks>Used with the <see cref="MicrosoftWorkloadFederationScenario.GitHubActions"/> federation scenario.</remarks>
+    public string GitHubTokenRequestToken { get; set; }
+}

src/shared/Core/Constants.cs

@@ -31,6 +31,8 @@ public static class Constants
         /// </summary>
         public static readonly Guid MsaTransferTenantId = new("f8cdef31-a31e-4b4a-93e4-5f571e91255a");
 
+        public const string DefaultWorkloadFederationAudience = "api://AzureADTokenExchange";
+
         public static class CredentialProtocol
         {
             public const string NtlmKey = "ntlm";
@@ -130,6 +132,9 @@ public static class EnvironmentVariables
             public const string GcmDevUseLegacyUiHelpers = "GCM_DEV_USELEGACYUIHELPERS";
             public const string GcmGuiSoftwareRendering  = "GCM_GUI_SOFTWARE_RENDERING";
             public const string GcmAllowUnsafeRemotes    = "GCM_ALLOW_UNSAFE_REMOTES";
+
+            public const string GitHubActionsTokenRequestUrl = "ACTIONS_ID_TOKEN_REQUEST_URL";
+            public const string GitHubActionsTokenRequestToken = "ACTIONS_ID_TOKEN_REQUEST_TOKEN";
         }
 
         public static class Http