Support for OIDC Refresh Tokens in Azure DevOps Pipelines

[jpwright-bunnings]

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

When using client_jwt authentication in Azure DevOps, Packer builds start but when runs take longer than one hour fail with the following error in the pipeline logs:

authorizing request: clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS700024: Client assertion is not within its valid time range."}

Attempting to use OIDC-based authentication with oidc_request_url and oidc_request_token results in the following error immediately on execution of the packer command.

Build 'azure-arm.autogenerated_1' errored after 96 milliseconds 404 microseconds: githubAssertion: received HTTP status 405 with response: {"count":1,"value":{"Message":"The requested resource does not support http method 'GET'."}}

The following example demonstrates how the environment was configured in to generate these logs in Azure DevOps pipelines:

client_jwt example:

- task: AzureCLI@2
  inputs:
    addSpnToEnvironment: true
    azureSubscription: azserviceconnection
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      export ARM_CLIENT_ID=$servicePrincipalId
      export ARM_OIDC_TOKEN=$idToken
      export ARM_SUBSCRIPTION_ID=$(az account show --query id -o tsv)
      export ARM_USE_OIDC=true
      packer init template.pkr.hcl
      packer build template.pkr.hcl

oidc_request_url and oidc_request_token example:

- task: AzureCLI@2
  inputs:
    addSpnToEnvironment: true
    azureSubscription: azserviceconnection
    scriptType: bash
    scriptLocation: inlineScript
    inlineScript: |
      export ARM_CLIENT_ID=$servicePrincipalId
      export ARM_SUBSCRIPTION_ID=$(az account show --query id -o tsv)
      export ARM_OIDC_REQUEST_URL=$(System.OidcRequestUri)
      export ARM_OIDC_REQUEST_TOKEN=$(System.AccessToken)
      export ARM_USE_OIDC=true
      packer init template.pkr.hcl
      packer build template.pkr.hcl

Use Case

Enable support for long-running Packer builds in Azure DevOps without needing to rely on short-lived client assertions or manually refreshing credentials.

This is especially critical for image build processes that take more than one hour, which currently fail due to token expiration issues.

Potential configuration

Extend the plugin’s support for OIDC by:

Enabling compatibility with Azure DevOps–issued oidc_request_url and oidc_request_token values (similar to the existing GitHub Actions support).

Supporting automatic token refresh or seamless re-authentication during long-running builds.

Potential References

https://github.com/hashicorp/packer-plugin-azure/tree/main/.web-docs/components/builder/arm
https://learn.microsoft.com/en-us/rest/api/azure/devops/distributedtask/oidctoken/create?view=azure-devops-rest-7.1
https://www.hashicorp.com/en/blog/version-2-packer-azure-plugin-now-available

[fajterini]

Hi, Is this even possible to implement? When i was looking into this issue last year I found this ...

https://learn.microsoft.com/en-us/azure/devops/pipelines/release/troubleshoot-workload-identity?view=azure-devops

As I understand it that way that it's not possible to use Workload federated identity (OIDC), because Azure DevOps don't support token refresh, or maximum token lifetime is 1h and 10minutes ? I think this is limit in Azure DevOps implementation of OIDC service connections.