Skip to content

Apply Microsoft Azure OIDC Authentication flow#968

Open
vinokurig wants to merge 2 commits intomainfrom
che-23505
Open

Apply Microsoft Azure OIDC Authentication flow#968
vinokurig wants to merge 2 commits intomainfrom
che-23505

Conversation

@vinokurig
Copy link
Contributor

@vinokurig vinokurig commented Mar 10, 2026
edited
Loading

What does this PR do?

Apply Microsoft Azure OIDC Authentication flow

DO NOT MERGE until eclipse-che/che-operator#2097 is merged

Screenshot/screencast of this PR

What issues does this PR fix or reference?

fixes eclipse-che/che#23505

How to test this PR?

  1. Apply the che-server pull request image: quay.io/eclipse/che-server:pr-968
  2. Configure a Microsoft Entra ID Application
  3. Apply the Azure DevOps oauth secret:
kind: Secret
apiVersion: v1
metadata:
  name: azure-devops-oauth-config
  namespace: eclipse-che
  labels:
    app.kubernetes.io/component: oauth-scm-configuration
    app.kubernetes.io/part-of: che.eclipse.org
  annotations:
    che.eclipse.org/oauth-scm-server: azure-devops
stringData:
  id: <Application (client) ID>
  secret: <client secret>
  tenant-id: <tenant id>
type: Opaque
  1. Start a workspace from the Azure DevOps repository HTTPS url, consent the oauth request.

See: workspace starts, project is cloned. Token is added to the user namespace.

PR Checklist

As the author of this Pull Request I made sure that:

Release Notes

Reviewers

Reviewers, please comment how you tested the PR when approving it.

@vinokurig vinokurig force-pushed the che-23505 branch 2 times, most recently from be47782 to 918b646 Compare March 10, 2026 14:35
@github-actions
Copy link

github-actions bot commented Mar 10, 2026

Docker image build succeeded: quay.io/eclipse/che-server:pr-968

kubectl patch command 
kubectl patch -n eclipse-che "checluster/eclipse-che" --type=json -p="[{"op": "replace", "path": "/spec/components/cheServer/deployment", "value": {containers: [{image: "quay.io/eclipse/che-server:pr-968", name: che}]}}]"

@vinokurig
Copy link
Contributor Author

vinokurig commented Mar 11, 2026

/retest

tolusha
tolusha reviewed Mar 12, 2026
View reviewed changes
assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/che.properties
# Separate multiple values with comma, for example: scope,scope,scope
# The full list of scopes: https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops#scopes
che.integration.azure.devops.application_scopes=vso.code_write
che.integration.azure.devops.application_scopes=499b84ac-1321-427f-aa17-267ca6975798/vso.code_write
Copy link
Contributor

@tolusha tolusha Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Magic number, do we have the source of them?

Copy link
Contributor Author

@vinokurig vinokurig Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Entra ID v2.0 requires Azure DevOps App ID URI in the scope, which is 499b84ac-1321-427f-aa17-267ca6975798 see https://learn.microsoft.com/en-us/answers/questions/5807316/invalid-scope-error-on-oidc-token-request

Copy link
Contributor

@tolusha tolusha Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you pls add that link to che.properties?

Copy link
Contributor Author

@vinokurig vinokurig Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@github-actions
Copy link

github-actions bot commented Mar 13, 2026

Docker image build succeeded: quay.io/eclipse/che-server:pr-968

kubectl patch command 
kubectl patch -n eclipse-che "checluster/eclipse-che" --type=json -p="[{"op": "replace", "path": "/spec/components/cheServer/deployment", "value": {containers: [{image: "quay.io/eclipse/che-server:pr-968", name: che}]}}]"

tolusha
tolusha approved these changes Mar 13, 2026
View reviewed changes
Copy link
Contributor

@tolusha tolusha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested

@openshift-ci openshift-ci bot added the lgtm label Mar 13, 2026
@openshift-ci
Copy link

openshift-ci bot commented Mar 13, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tolusha, vinokurig

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tolusha tolusha tolusha approved these changes

@SDawley SDawley Awaiting requested review from SDawley SDawley is a code owner

@ibuziuk ibuziuk Awaiting requested review from ibuziuk ibuziuk is a code owner

Assignees

@tolusha tolusha

Labels

lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement Microsoft Azure OIDC Authentication flow

2 participants

@vinokurig @tolusha