Azure · BALAGA-GAYATRI · Nov 15, 2021 · Oct 25, 2021 · Oct 25, 2021 · Nov 1, 2021
diff --git a/README.md b/README.md
@@ -121,7 +121,7 @@ jobs:
           az group list
           pwd 
 ```
-This action supports login az powershell as well for both windows and linux runners by setting an input parameter `enable-AzPSSession: true`. Below is the sample workflow for the same using the windows runner. Please note that powershell login is not supported in Macos runners.
+Users can also specify `audience` field for access-token in the input parameters of the action. If not specified, it is defaulted to `api://AzureADTokenExchange`. This action supports login az powershell as well for both windows and linux runners by setting an input parameter `enable-AzPSSession: true`. Below is the sample workflow for the same using the windows runner. Please note that powershell login is not supported in Macos runners.
 
 ## Sample workflow that uses Azure login action using OIDC to run az PowerShell (Windows)
 

diff --git a/action.yml b/action.yml
@@ -26,6 +26,10 @@ inputs:
     description: 'Set this value to true to enable support for accessing tenants without subscriptions'
     required: false
     default: false
+  audience:
+    description: 'Provide audience field for access-token. Default value is api://AzureADTokenExchange' 
+    required: false
+    default: 'api://AzureADTokenExchange'
 branding:
   icon: 'login.svg'
   color: 'blue'

diff --git a/lib/main.js b/lib/main.js
@@ -61,7 +61,6 @@ function main() {
             const allowNoSubscriptionsLogin = core.getInput('allow-no-subscriptions').toLowerCase() === "true";
             //Check for the credentials in individual parameters in the workflow.
             var servicePrincipalId = core.getInput('client-id', { required: false });
-            ;
             var servicePrincipalKey = null;
             var tenantId = core.getInput('tenant-id', { required: false });
             var subscriptionId = core.getInput('subscription-id', { required: false });
@@ -103,14 +102,17 @@ function main() {
             if (enableOIDC) {
                 console.log('Using OIDC authentication...');
                 //generating ID-token
-                federatedToken = yield core.getIDToken('api://AzureADTokenExchange');
+                let audience = core.getInput('audience', { required: false });
+                federatedToken = yield core.getIDToken(audience);
                 if (!!federatedToken) {
                     if (environment != "azurecloud")
                         throw new Error(`Your current environment - "${environment}" is not supported for OIDC login.`);
                 }
                 else {
                     throw new Error("Could not get ID token for authentication.");
                 }
+                let [issuer, subjectClaim] = yield jwtParser(federatedToken);
+                console.log("Federated token details: \n issuer- " + issuer + " \n subject claim - " + subjectClaim);
             }
             // Attempting Az cli login
             if (environment == "azurestack") {
@@ -199,8 +201,16 @@ function executeAzCliCommand(command, silent, execOptions = {}, args = []) {
             yield exec.exec(`"${azPath}" ${command}`, args, execOptions);
         }
         catch (error) {
-            throw new Error(error);
+            core.error("Az-CLI" + error);
         }
     });
 }
+function jwtParser(federatedToken) {
+    return __awaiter(this, void 0, void 0, function* () {
+        let tokenPayload = federatedToken.split('.')[1];
+        let bufferObj = Buffer.from(tokenPayload, "base64");
+        let decodedPayload = JSON.parse(bufferObj.toString("utf8"));
+        return [decodedPayload['iss'], decodedPayload['sub']];
+    });
+}
 main();