microsoft
diff --git a/‎Tasks/NotationV0/Strings/resources.resjson/en-US/resources.resjson
+3-2 b/‎Tasks/NotationV0/Strings/resources.resjson/en-US/resources.resjson
+3-2
diff --git a/‎Tasks/NotationV0/package-lock.json
+94-10 b/‎Tasks/NotationV0/package-lock.json
+94-10
diff --git a/‎Tasks/NotationV0/package.json
+3-1 b/‎Tasks/NotationV0/package.json
+3-1
diff --git a/‎Tasks/NotationV0/src/lib/credentials.ts
+79-6 b/‎Tasks/NotationV0/src/lib/credentials.ts
+79-6
@@ -39,12 +39,13 @@
   "loc.messages.ArtifactRefs": "Artifact references: %s.",
   "loc.messages.ArtifactRefsNotSpecified": "Artifact references are not specified.",
   "loc.messages.APPDATANotSet": "APPDATA is not set.",
-  "loc.messages.AzureKVPluginAlreadyInstalled": "Azure Key Vault plugin is already installed.",
+  "loc.messages.AzureKVPluginAlreadyInstalled": "Azure Key Vault plugin v%s is already installed.",
   "loc.messages.CannotFindTrustStore": "Cannot find trust store directory: %s.",
   "loc.messages.ChecksumValidated": "Checksum validated: %s.",
   "loc.messages.ChecksumValidationFailed": "Checksum validation failed. Expected: %s, Actual: %s.",
   "loc.messages.FailedArtifacts": "Failed artifacts: %s.",
   "loc.messages.FailedToAddCertToTrustStore": "Failed to add a certificate to trust store: %s.",
+  "loc.messages.FailedToGetWorkloadIdToken": "Failed to get workload identity token: %s.",
   "loc.messages.FailedToImportTrustPolicy": "Failed to import trust policy: %s.",
   "loc.messages.FailedToListTrustStore": "Failed to list the trust store.",
   "loc.messages.FailedToShowTrustPolicy": "Failed to show trust policy.",
@@ -65,7 +66,7 @@
   "loc.messages.UnsupportedFileExtension": "Unsupported file extension: %s.",
   "loc.messages.UnsupportedPlatform": "Unsupported platform: %s.",
   "loc.messages.UnsupportedVersion": "Unsupported version: %s.",
-  "loc.messages.UseManagedIdentity": "Use managed identity to access Azure Key Vault.",
+  "loc.messages.UseAuthenticationMethod": "Use %s to access Azure Key Vault.",
   "loc.messages.UnknownCommand": "Unknown command: %s.",
   "loc.messages.UnknownError": "An unknown error occurred.",
   "loc.messages.UnknownPlugin": "Unknown plugin: %s.",
 
@@ -10,9 +10,11 @@
   "author": "",
   "license": "MIT",
   "dependencies": {
-    "@types/node": "^16.11.39",
     "@types/mocha": "^5.2.7",
+    "@types/node": "^16.11.39",
+    "azure-devops-node-api": "^13.0.0",
     "azure-pipelines-task-lib": "4.6.1",
+    "azure-pipelines-tasks-artifacts-common": "^2.230.0",
     "azure-pipelines-tool-lib": "2.0.7"
   },
   "devDependencies": {
 
@@ -1,31 +1,37 @@
 import * as taskLib from 'azure-pipelines-task-lib/task';
 import * as fs from 'fs';
 import * as path from 'path';
+import { getSystemAccessToken } from 'azure-pipelines-tasks-artifacts-common/webapi';
+import { getHandlerFromToken, WebApi } from "azure-devops-node-api";
+import { ITaskApi } from "azure-devops-node-api/TaskApi";
 
-export async function getVaultCredentials(): Promise<{ [key: string]: string }> {
+export async function getVaultCredentials(): Promise<[{ [key: string]: string }, String]> {
     let connectedService = taskLib.getInput("azurekvServiceConection", true);
     if (!connectedService) {
         console.log(taskLib.loc('NoServiceConnection'));
-        return {};
+        return [{}, ""];
     }
+
     var authScheme = taskLib.getEndpointAuthorizationScheme(connectedService, true);
     if (!authScheme) {
         console.log(taskLib.loc('NoAuthScheme'));
-        return {};
+        return [{}, ""];
     }
 
     let envVariables = {};
+    let credentialType = "";
     switch (authScheme.toLocaleLowerCase()) {
         case "managedserviceidentity":
             // azure key vault plugin will automatially try managed idenitty
-            console.log(taskLib.loc('UseManagedIdentity'));
+            console.log(taskLib.loc('UseAuthenticationMethod', 'Managed Identity'));
+            credentialType = "managedid";
             break;
         case "serviceprincipal":
+            console.log(taskLib.loc('UseAuthenticationMethod', 'Service Principal'));
             let authType = taskLib.getEndpointAuthorizationParameter(connectedService, 'authenticationType', true);
             let cliPassword: string | undefined = "";
             var servicePrincipalId = taskLib.getEndpointAuthorizationParameter(connectedService, "serviceprincipalid", false);
             var tenantId = taskLib.getEndpointAuthorizationParameter(connectedService, "tenantid", false);
-
             if (authType == "spnCertificate") {
                 taskLib.debug('certificate based endpoint');
                 let certificateContent = taskLib.getEndpointAuthorizationParameter(connectedService, "servicePrincipalCertificate", false) ?? '';
@@ -50,9 +56,76 @@ export async function getVaultCredentials(): Promise<{ [key: string]: string }>
                     "AZURE_CLIENT_SECRET": cliPassword,
                 }
             }
+            credentialType = "environment"
+            break;
+        case "workloadidentityfederation":
+            console.log(taskLib.loc('UseAuthenticationMethod', 'Workload Identity Federation'));
+            var servicePrincipalId = taskLib.getEndpointAuthorizationParameter(connectedService, "serviceprincipalid", false);
+            var tenantId = taskLib.getEndpointAuthorizationParameter(connectedService, "tenantid", false);
+            const federatedToken = await getWorkloadIdToken(connectedService);
+            const extractPath = taskLib.getVariable('Agent.TempDirectory');
+            if (!extractPath) {
+                throw new Error(taskLib.loc('TempDirectoryNotSet'));
+            }
+
+            const tokenFile = path.join(extractPath, 'oidcToken');
+            fs.writeFileSync(tokenFile, federatedToken);
+            envVariables = {
+                "AZURE_TENANT_ID": tenantId,
+                "AZURE_CLIENT_ID": servicePrincipalId,
+                "AZURE_FEDERATED_TOKEN_FILE": tokenFile,
+            }
+            credentialType = "workloadid"
             break;
         default:
             throw new Error(taskLib.loc('UnsupportedAuthScheme', authScheme));
     }
-    return envVariables;
+
+    return [envVariables, credentialType];
 }
+
+async function getWorkloadIdToken(connectedService: string): Promise<string> {
+    const jobId = taskLib.getVariable("System.JobId");
+    if (!jobId) {
+        throw new Error(taskLib.loc('FailedToGetWorkloadIdToken', 'JobId not set'));
+    }
+
+    const planId = taskLib.getVariable("System.PlanId");
+    if (!planId) {
+        throw new Error(taskLib.loc('FailedToGetWorkloadIdToken', 'PlanId not set'));
+    }
+
+    const projectId = taskLib.getVariable("System.TeamProjectId");
+    if (!projectId) {
+        throw new Error(taskLib.loc('FailedToGetWorkloadIdToken', 'ProjectId not set'));
+    }
+
+    const hub = taskLib.getVariable("System.HostType");
+    if (!hub) {
+        throw new Error(taskLib.loc('FailedToGetWorkloadIdToken', 'Hub not set'));
+    }
+
+    const uri = taskLib.getVariable("System.CollectionUri");
+    if (!uri) {
+        throw new Error(taskLib.loc('FailedToGetWorkloadIdToken', 'CollectionUri not set'));
+    }
+
+    const token = getSystemAccessToken();
+    if (!token) {
+        throw new Error(taskLib.loc('FailedToGetWorkloadIdToken', 'Token not set'));
+    }
+
+    const authHandler = getHandlerFromToken(token);
+    const connection = new WebApi(uri, authHandler);
+    const api: ITaskApi = await connection.getTaskApi();
+    const response = await api.createOidcToken({}, projectId, hub, planId, jobId, connectedService);
+    if (response == null) {
+        throw new Error(taskLib.loc('FailedToGetWorkloadIdToken', 'Response is null'));
+    }
+
+    if (!response.oidcToken) {
+        throw new Error(taskLib.loc('FailedToGetWorkloadIdToken', 'Token not set'));
+    }
+
+    return response.oidcToken;
+}