英文:
How to access azure devops apis via an azure app?
问题
以下是您提供的内容的中文翻译:
我正在尝试获取JWT访问令牌以调用一些Azure DevOps API端点。
CLIENT_ID/.default ==
user_impersonation 和
User.Read
这将返回给我一个code。
然后,我使用这个代码来发起POST请求:
> https://login.microsoftonline.com/organizations/oauth2/v2.0/token
使用以下参数:
client_id:CLIENT_ID
client_secret:SECRET
scope:CLIENT_ID/.default
redirect_uri:https://foo.bar.com/auth
code:CODE
这将返回给我一个access_token。但是这个访问令牌似乎不能做太多事情。
我已经尝试过将其用于https://graph.microsoft.com/v2.0/me/(它总是返回“访问令牌验证失败。无效的受众。”)和https://dev.azure.com/paradime-io/_apis/git/repositories?api-version=2.0(只是一个让我登录的HTML) - 都使用Authorization: Bearer {access_token}头部,但它们不起作用。
我还尝试过将其用于git clone...的用户名和密码,但也不起作用。
我还尝试过使用on_behalf_of和/token端点:
client_id:CLIENT_ID
client_secret:SECRET
scope:CLIENT_ID/.default
//client_assertion_type:urn:ietf:params:oauth:client-assertion-type:jwt-beare
requested_token_use:on_behalf_of
assertion:CODE
但返回的access_token在其他API端点上也无法使用。
英文:
I am trying to get the jwt access token to call some azure devops API endpoints.
I first Get the code via oauth endpoint:
> https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=CLIENT_ID&response_type=code&prompt=select_account&scope=CLIENT_ID/.default&redirect_uri=https://foo.bar.com/auth
CLIENT_ID/.default ==
user_impersonation and
User.Read
this returns me a code
I then use this code to make a post request to:
> https://login.microsoftonline.com/organizations/oauth2/v2.0/token
with
grant_type:authorization_code
client_id:CLIENT_ID
client_secret:SECRET
scope:CLIENT_ID/.default
redirect_uri:https://foo.bar.com/auth
code:CODE
this returns me an access_token. However this access token doesn't seem to be able to do much.
I have tried it with https://graph.microsoft.com/v2.0/me/ (It always returns Access token validation failure. Invalid audience.) and https://dev.azure.com/paradime-io/_apis/git/repositories?api-version=2.0 (just html for me to login) - both using Authorization: Bearer {access_token} header but they do not work.
I have also tried to use it with git clone... username & password but that is also not working.
I have also tried to use on_behalf_of and the /token endpoint:
grant_type:urn:ietf:params:oauth:grant-type:jwt-bearer
client_id:CLIENT_ID
client_secret:SECRET
scope:CLIENT_ID/.default
//client_assertion_type:urn:ietf:params:oauth:client-assertion-type:jwt-beare
requested_token_use:on_behalf_of
assertion:CODE
but the returned access_token is also not useable on the other API endpoints.
答案1
得分: 1
要通过Azure AD应用程序访问Azure DevOps APIs,您需要生成具有499b84ac-1321-427f-aa17-267ca6975798/.default范围的JWT访问令牌。
我注册了一个Azure AD应用程序,并添加了以下API权限:
为了获取授权码,我在获取令牌之前在浏览器中运行了以下授权请求:
https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/authorize
?client_id=<appID>
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=499b84ac-1321-427f-aa17-267ca6975798/.default
&state=12345
当我在浏览器中运行上述请求时,我成功地在地址栏中获取了code值,如下所示:
我使用授权码流成功地生成了访问令牌,通过在以下请求中包含上述代码来使用Postman:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
grant_type:authorization_code
client_id: <appID>
client_secret: <secret>
scope: 499b84ac-1321-427f-aa17-267ca6975798/.default
code: <paste_code_from_above_request>
redirect_uri: https://jwt.ms
响应:
当我使用上述访问令牌调用以下DevOps API时,我成功地获得了以下响应:
GET https://dev.azure.com/<orgname>/_apis/git/repositories?api-version=2.0
响应:
要调用Microsoft Graph,您需要将scope值更改为**https://graph.microsoft.com/.default**以获取访问令牌。
英文:
To access Azure DevOps APIs via Azure AD application, you need to generate jwt access token with 499b84ac-1321-427f-aa17-267ca6975798/.default scope.
I registered one Azure AD application and added API permissions like below:
To get authorization code, I ran below authorization request in browser before acquiring token:
https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/authorize
?client_id=<appID>
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=499b84ac-1321-427f-aa17-267ca6975798/.default
&state=12345
When I ran above request in browser, I got code value successfully in address bar like this:
I generated access token using authorization code flow successfully via Postman by including above code in below request:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
grant_type:authorization_code
client_id: <appID>
client_secret: <secret>
scope: 499b84ac-1321-427f-aa17-267ca6975798/.default
code: <paste_code_from_above_request>
redirect_uri: https://jwt.ms
Response:
When I used above access token to call following DevOps API, I got response successfully like below:
GET https://dev.azure.com/<orgname>/_apis/git/repositories?api-version=2.0
Response:
To call Microsoft Graph, you need to change the scope value to https://graph.microsoft.com/.default while acquiring access token.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论