Using an access token for the Azure DevOps REST API.

huangapple go评论108阅读模式
英文:

Using an access token for the Azure Devops rest API

问题

I'm trying to use the devops Rest API to work with pipelines.

I'm requesting an access token, then using it to make the devops post request.

string orgName = "MyOrg";
string project = "MyProject";
string tenantId = "0eb...";
string authority = $"https://login.microsoftonline.com/{tenantId}";
string clientId = "656...";
string clientSecret = "n.C...";
string scope = "499b84ac-1321-427f-aa17-267ca6975798/.default"; // Azure DevOps access scope

var app = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithClientSecret(clientSecret)
.WithAuthority(new Uri(authority))
.Build();

var result = await app.AcquireTokenForClient(new[] { scope }).ExecuteAsync();
string accessToken = result.AccessToken;

using var client = new HttpClient();
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);

HttpResponseMessage response2 = await client.GetAsync($"https://dev.azure.com/{orgName}/{project}/_apis/pipelines?api-version=7.0");
string responseBody = await response2.Content.ReadAsStringAsync();

In the Azure portal Active Directory blade, I have registered an app, and am using the Directory (tenant) ID listed in the overview page as the tenantId. In the Certificates & secrets submenu, I have created a client secret, and am using the Value as the clientId and the Secret ID as the clientSecret. My understanding is that the scope 499b84ac-1321-427f-aa17-267ca6975798/.default is a hardcoded guid that resolves to all devops permissions.

I am getting this for a response:

TF401444: Please sign-in at least once as {tenantId}\{tenantId}\{guid I don't recognize} in a web browser to enable access to the service.","typeName":"Microsoft.TeamFoundation.Framework.Server.UnauthorizedRequestException, Microsoft.TeamFoundation.Framework.Server","typeKey":"UnauthorizedRequestException","errorCode":0,"eventId":3000}

I don't understand what I am missing here. Why am I being asked to log in? Shouldn't the token be enough to authorize my API request? My goal here is for an API service to be able to work with pipelines. Any help would be much appreciated.

英文:

I'm trying to use the devops Rest API to work with pipelines.

I'm requesting an access token, then using it to make the devops post request.

        string orgName = "MyOrg";
        string project = "MyProject";
        string tenantId = "0eb...";
        string authority = $"https://login.microsoftonline.com/{tenantId}";
        string clientId = "656...";
        string clientSecret = "n.C...";
        string scope = "499b84ac-1321-427f-aa17-267ca6975798/.default"; // Azure DevOps access scope

        var app = ConfidentialClientApplicationBuilder
            .Create(clientId)
            .WithClientSecret(clientSecret)
            .WithAuthority(new Uri(authority))
            .Build();

        var result = await app.AcquireTokenForClient(new[] { scope }).ExecuteAsync();
        string accessToken = result.AccessToken;

        using var client = new HttpClient();
        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);

        HttpResponseMessage response2 = await client.GetAsync($"https://dev.azure.com/{orgName}/{project}/_apis/pipelines?api-version=7.0");
        string responseBody = await response2.Content.ReadAsStringAsync();

In the Azure portal Active Directory blade, I have registered an app, and am using the Directory (tenant) ID listed in the overview page as the tenantId. In the Certificates & secrets submenu, I have created a client secret, and am using the Value as the clientId and the Secret ID as the clientSecret. My understanding is that the scope 499b84ac-1321-427f-aa17-267ca6975798/.default is a hardcoded guid that resolves to all devops permissions.

I am getting this for a response:

TF401444: Please sign-in at least once as {tenantId}\\\\{tenantId}\\\\{guid I dont recognize} in a web browser to enable access to the service.\",\"typeName\":\"Microsoft.TeamFoundation.Framework.Server.UnauthorizedRequestException, Microsoft.TeamFoundation.Framework.Server\",\"typeKey\":\"UnauthorizedRequestException\",\"errorCode\":0,\"eventId\":3000}"

I don't understand what I am missing here. Why am I being asked to login? Shouldn't the token be enough to authorize my api request? My goal here is for an API service to be able to work with pipelines. Any help would be much appreciated.

答案1

得分: 1

你的应用注册需要有权限访问Devops REST API。这是在应用注册的API权限部分配置的。看起来你正在尝试使用客户端凭据流(客户端ID和机密)。

从门户的情况来看,似乎Azure Devops不提供客户端凭据流所需的应用程序权限,所以这种方法不会起作用。

你有两个选择:

  1. 在Web应用中,使用委派权限和已登录用户的安全上下文。

  2. 使用PAT(个人访问令牌)和REST调用中的基本身份验证标头。

英文:

Your app registration needs to have permission to access the Devops REST API. This is configured in the API Permissions section of the App Registration. It also looks like you're trying to use a Client Credential Flow (client ID and Secret).

Looking at the portal, it doesn't appear that Application permissions - which you need with Client Credential flow - is available for Azure Devops, so this approach is not going to work.

Using an access token for the Azure DevOps REST API.

You have two options:

  1. In a web app, use delegated permissions and the logged in user's security context

  2. Use a PAT (personal access token) and a Basic Auth header in your REST call.

huangapple
  • 本文由 发表于 2023年4月4日 04:26:15
  • 转载请务必保留本文链接:https://go.coder-hub.com/75923514.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定