Currently Azure OIDC only allows tenant-id and client-id values but from talking with internal users there are other values that might be interesting as well. Note that whatever changes occur here will also require 2 internal changes: (1) update the dependabot.yml schema to allow for the new fields, and (2) update the public documentation.
audience: Azure OIDC currently hard codes the audience to api://AzureADTokenExchange but the GitHub documentation for OIDC indicates that other values can be used. Keeping the same default but allowing an explicit override could help here.
- This documentation states that the
audience value must be api://AzureADTokenExchange so this will likely remain unchanged.
scope: Azure OIDC current hard codes the scope to 499b84ac-1321-427f-aa17-267ca6975798/.default which corresponds to the Azure DevOps REST API. As with audience, maintaining the default but allowing an override could be useful.
Currently Azure OIDC only allows
tenant-idandclient-idvalues but from talking with internal users there are other values that might be interesting as well. Note that whatever changes occur here will also require 2 internal changes: (1) update thedependabot.ymlschema to allow for the new fields, and (2) update the public documentation.audience: Azure OIDC currently hard codes the audience toapi://AzureADTokenExchangebut the GitHub documentation for OIDC indicates that other values can be used. Keeping the same default but allowing an explicit override could help here.audiencevalue must beapi://AzureADTokenExchangeso this will likely remain unchanged.scope: Azure OIDC current hard codes the scope to499b84ac-1321-427f-aa17-267ca6975798/.defaultwhich corresponds to the Azure DevOps REST API. As withaudience, maintaining the default but allowing an override could be useful.