AADSTS90061: Request to External OIDC endpoint failed.

 This error often comes up and if you google it, you will hit this page.

https://azure.github.io/azure-workload-identity/docs/troubleshooting.html#aadsts90061-request-to-external-oidc-endpoint-failed

To give an idea what the error message means, "the OIDC issuer endpoint is not exposed to the internet or is inaccessible"" - This simply means Microsoft Azure AD is trying to hit the endpoint you've provided in the issuer section.  So it is not just a static value that you provided in your federated credential and provided the necessary field in your JWT. 

The endpoint will be access and jwks key checked against the token you have provided. 

SERVICE_ACCOUNT_ISSUER - is the issuer endpoint you specified/provided in your JWT.

This must be publicly accessible along with the following endpoint

curl ${SERVICE_ACCOUNT_ISSUER}/.well-known/openid-configuration

curl ${SERVICE_ACCOUNT_ISSUER}/openid/v1/jwks


Comments

Post a Comment

Popular posts from this blog

The specified initialization vector (IV) does not match the block size for this algorithm

Image
If you're getting  exception when trying to assigned key to a symmetric key and getting error message below :- The specified initialization vector (IV) does not match the block size for this algorithm And your code probably look like something below :- Then you need to go into debug mode and start looking into the supported size for IV as shown in diagram below :- As you can see, IV is 16 bytes, so you need to provide 16 bytes. The same goes for Key field too, if you're adding anything to it. As long as you provide a valid key size, then we're good and you're code will be ready.
Read more