Ah, I have a sneaking suspicion on where wires are getting a bit crossed.
I think I’ve made an (incorrect!) assumption here that when you’re referring to CI, you’re implicitly using Horde as the CI mechanism. I suspect I’m incorrect in this - and as a result, you’re not using the HordeAgent (and subsequently, you’re not getting the whole JobTaskSource minting of JIT token, which is then injected through the entire call hierarchy I listed above).
So regarding:
- > Isn’t that on the agent side though? Is that a different way to do this? We are directly running UBT on the build server (in service process) which would be a client, not an agent, right?
Yes this is through the Horde Agent side - and the Horde Build plugin context. Carl has outlined very much the local user context, that is, outside of the HordeAgent (and JobDriver) wrapper, and how that auth path progresses (and where interactive is seeming an “OK” option).
If all tracks up to this point, then I have a more concrete user story that I think I can work with [mention removed] on to see if we can find a path forward for you (some of the referenced EPS thread has attributes that have since been obsoleted - OIDCProvider being one of them).
Let me know if we are aligned.