OIDC Authentication Failure: Received Forbidden Response from JWT API

[13013SwagR]

Description:

I've been using the actions-oidc-debugger successfully in the past, but recently, without any changes to my configuration, it has stopped working and now returns a Forbidden error when attempting to authenticate using OIDC.

Error Message:

received non-200 from jwt api: Forbidden

Configuration:

Here's the relevant part of the GitHub Actions workflow configuration, which is closely based on the official documentation:

jobs:
  debug-oidc:
    permissions:
      contents: read
      id-token: write
    runs-on: [self-hosted, micro]
    steps:
      - name: Checkout actions-oidc-debugger
        uses: actions/checkout@v3
        with:
          repository: github/actions-oidc-debugger
          ref: main
          path: ./.github/actions/actions-oidc-debugger
      - name: Debug OIDC Claims
        uses: ./.github/actions/actions-oidc-debugger
        with:
          audience: 'https://github.com/github'

Expected Behavior:

The OIDC authentication should complete successfully as it had in the past, allowing the workflow to proceed without authentication errors.

Actual Behavior:

The workflow fails during the OIDC authentication step with a Forbidden error, indicating a lack of permission or other authorization issues.

Additional Context:

No changes were made to the GitHub Actions permissions or runner configuration prior to the onset of this issue.
This issue started occurring recently, suggesting a possible external change in the handling of OIDC requests or a change in API behavior.

Can you validate it still works the same on your side ?

[joaopenteado]

I'm experiencing the exact same problem right now.

[joshjohanning]

@13013SwagR @joaopenteado The documentation doesn't really call this out, but you have to update the audience parameter from https://github.com/github to your organization name. Example using variables:

  print-oidc-token:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
    - name: Checkout actions-oidc-debugger
      uses: actions/checkout@v4
      with:
        repository: github/actions-oidc-debugger
        ref: main
        path: ./.github/actions/actions-oidc-debugger
    - name: Debug OIDC Claims
      uses: ./.github/actions/actions-oidc-debugger
      with:
        audience: '${{ github.server_url }}/${{ github.repository_owner }}'

This prints:

{
  "actor": "joshjohanning",
  "actor_id": "19912012",
  "aud": "https://github.com/joshjohanning-org",
  "base_ref": "",
  "enterprise": "avocado-corp",
  "enterprise_id": "2",
  "event_name": "push",
  "exp": 1715869341,
  "head_ref": "",
  "iat": 1715869041,
  "iss": "https://token.actions.githubusercontent.com",
  "job_workflow_ref": "joshjohanning-org/oidc-claims-demo/.github/workflows/azure-oidc-demo.yml@refs/heads/main",
  "job_workflow_sha": "e9c9f65767da34304ad442cc27627bba942f21c4",
  "jti": "ccd75be3-81a1-42aa-8293-ab65aab83e3a",
  "nbf": 1715868441,
  "ref": "refs/heads/main",
  "ref_protected": "false",
  "ref_type": "branch",
  "repository": "joshjohanning-org/oidc-claims-demo",
  "repository_id": "702465634",
  "repository_owner": "joshjohanning-org",
  "repository_owner_id": "95450610",
  "repository_visibility": "public",
  "run_attempt": "1",
  "run_id": "9113947298",
  "run_number": "30",
  "runner_environment": "github-hosted",
  "sha": "e9c9f65767da34304ad442cc27627bba942f21c4",
  "sub": "job_workflow_ref:joshjohanning-org/oidc-claims-demo/.github/workflows/azure-oidc-demo.yml@refs/heads/main",
  "workflow": "Azure OIDC Demo",
  "workflow_ref": "joshjohanning-org/oidc-claims-demo/.github/workflows/azure-oidc-demo.yml@refs/heads/main",
  "workflow_sha": "e9c9f65767da34304ad442cc27627bba942f21c4"
}

[13013SwagR]

Thanks @joshjohanning it worked!
I will submit a documentation improvement.

[joaopenteado]

@joshjohanning Thanks it worked!