Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://docs.github.com/en/copilot/concepts/extensions/openid-connect below:

OpenID Connect (OIDC) for GitHub Copilot Extensions

Learn how OpenID Connect (OIDC) enables Copilot Extensions to securely authenticate users and access cloud resources without storing long-lived credentials.

OpenID Connect (OIDC) allows Copilot Extensions to exchange short-lived tokens directly from their cloud provider instead of storing long-lived GitHub credentials. This feature enables both Copilot agents and skillsets to more securely authenticate users and access cloud resources.

Copilot Extensions often need to access third-party resources or APIs on behalf of users. Traditionally, this required storing GitHub tokens as secrets and making additional API calls to map these tokens to user identities in your system. With OIDC, your extension can request short-lived access tokens directly from your authentication service by exchanging GitHub identity information.

When enabled, GitHub's OIDC provider automatically generates a token containing claims about the user and the request context. Your authentication service can validate these claims and exchange them for an access token scoped specifically for your service.

Using OIDC is especially valuable for Copilot skillsets development because it allows you to leverage your existing API endpoints without maintaining separate GitHub-specific endpoints. Instead of duplicating endpoints to accept GitHub tokens, you can use OIDC to translate GitHub identities into your service’s native authentication tokens.

By implementing OIDC token exchange in your Copilot Extension, you can:

• Avoid storing long-lived GitHub tokens or maintain a mapping between GitHub and your service's identities.
• Use short-lived tokens that automatically expire and can be scoped specifically to your service's needs.
• Avoid making additional calls to GitHub's API to validate tokens and fetch user information.
• Enable direct integration for Copilot Skills with your existing APIs without maintaining separate endpoints for GitHub.
• Reuse existing API endpoints by translating GitHub authentication into your service's native tokens.

The following outlines how the Copilot Extensibility Platform exchanges an OIDC token for an access token to authenticate requests to your extension.

1. The user sends a message to your Copilot Extension.
2. GitHub generates an OIDC token containing user identity information.
3. GitHub calls your token exchange endpoint with the OIDC token.
4. Your service validates the token and returns an access token.
5. GitHub includes your access token in the request to your extension.

# HTTP header
Authorization: Bearer <your-service-token>
X-GitHub-Token: <github-token>

1. GitHub caches your access token for up to 10 minutes.
2. The cached token is reused for subsequent requests.
3. If the token expires or becomes invalid, GitHub requests a new one.

The OIDC token from GitHub is a JWT containing claims about the user and request context:

{
  "jti": "<unique-token-id>",
  "sub": "<github-user-id>",
  "aud": "<your-client-id>",
  "iss": "https://github.com/login/oauth",
  "nbf": 1632492967,
  "exp": 1632493867,
  "iat": 1632493567,
  "act": {
    "sub": "api.copilotchat.com"
  }
}

• Scope tokens to the minimum required permissions.
• Implement proper error handling and logging.
• Monitor token exchange patterns for security anomalies.
• Keep tokens short-lived to minimize security risks.
• Validate all claims before issuing access tokens.
• Consider implementing rate limiting on your token exchange endpoint.
• Use HTTPS for all token exchange communications.

• Setting up OIDC for your GitHub Copilot extension

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4