如何通过 Azure 应用程序访问 Azure DevOps API?

huangapple
go评论76阅读模式
英文:

How to access azure devops apis via an azure app?

问题

以下是您提供的内容的中文翻译:

我正在尝试获取JWT访问令牌以调用一些Azure DevOps API端点。

首先,通过OAuth端点获取代码:
> https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=CLIENT_ID&response_type=code&prompt=select_account&scope=CLIENT_ID/.default&redirect_uri=https://foo.bar.com/auth

CLIENT_ID/.default ==
user_impersonation 和
User.Read

这将返回给我一个code

然后,我使用这个代码来发起POST请求:
> https://login.microsoftonline.com/organizations/oauth2/v2.0/token

使用以下参数:

client_id:CLIENT_ID
client_secret:SECRET
scope:CLIENT_ID/.default
redirect_uri:https://foo.bar.com/auth
code:CODE

这将返回给我一个access_token。但是这个访问令牌似乎不能做太多事情。

我已经尝试过将其用于https://graph.microsoft.com/v2.0/me/(它总是返回“访问令牌验证失败。无效的受众。”)和https://dev.azure.com/paradime-io/_apis/git/repositories?api-version=2.0(只是一个让我登录的HTML) - 都使用Authorization: Bearer {access_token}头部,但它们不起作用。

我还尝试过将其用于git clone...的用户名和密码,但也不起作用。

我还尝试过使用on_behalf_of/token端点:

client_id:CLIENT_ID
client_secret:SECRET
scope:CLIENT_ID/.default
//client_assertion_type:urn:ietf:params:oauth:client-assertion-type:jwt-beare
requested_token_use:on_behalf_of
assertion:CODE

但返回的access_token在其他API端点上也无法使用。

英文:

I am trying to get the jwt access token to call some azure devops API endpoints.

I first Get the code via oauth endpoint:
> https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=CLIENT_ID&response_type=code&prompt=select_account&scope=CLIENT_ID/.default&redirect_uri=https://foo.bar.com/auth

CLIENT_ID/.default ==
user_impersonation and
User.Read

this returns me a code

I then use this code to make a post request to:

> https://login.microsoftonline.com/organizations/oauth2/v2.0/token

with

grant_type:authorization_code
client_id:CLIENT_ID
client_secret:SECRET
scope:CLIENT_ID/.default
redirect_uri:https://foo.bar.com/auth
code:CODE

this returns me an access_token. However this access token doesn't seem to be able to do much.

I have tried it with https://graph.microsoft.com/v2.0/me/ (It always returns Access token validation failure. Invalid audience.) and https://dev.azure.com/paradime-io/_apis/git/repositories?api-version=2.0 (just html for me to login) - both using Authorization: Bearer {access_token} header but they do not work.

I have also tried to use it with git clone... username & password but that is also not working.

I have also tried to use on_behalf_of and the /token endpoint:

grant_type:urn:ietf:params:oauth:grant-type:jwt-bearer
client_id:CLIENT_ID
client_secret:SECRET
scope:CLIENT_ID/.default
//client_assertion_type:urn:ietf:params:oauth:client-assertion-type:jwt-beare
requested_token_use:on_behalf_of
assertion:CODE

but the returned access_token is also not useable on the other API endpoints.

答案1

得分: 1

要通过Azure AD应用程序访问Azure DevOps APIs,您需要生成具有499b84ac-1321-427f-aa17-267ca6975798/.default范围的JWT访问令牌。

我注册了一个Azure AD应用程序,并添加了以下API权限:

如何通过 Azure 应用程序访问 Azure DevOps API?

为了获取授权码,我在获取令牌之前在浏览器中运行了以下授权请求:

https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/authorize
?client_id=<appID>
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=499b84ac-1321-427f-aa17-267ca6975798/.default
&state=12345

当我在浏览器中运行上述请求时,我成功地在地址栏中获取了code值,如下所示:

如何通过 Azure 应用程序访问 Azure DevOps API?

我使用授权码流成功地生成了访问令牌,通过在以下请求中包含上述代码来使用Postman:

POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
grant_type:authorization_code
client_id: <appID>
client_secret: <secret>
scope: 499b84ac-1321-427f-aa17-267ca6975798/.default
code: <paste_code_from_above_request>
redirect_uri: https://jwt.ms

响应:
如何通过 Azure 应用程序访问 Azure DevOps API?

当我使用上述访问令牌调用以下DevOps API时,我成功地获得了以下响应:

GET https://dev.azure.com/<orgname>/_apis/git/repositories?api-version=2.0

响应:
如何通过 Azure 应用程序访问 Azure DevOps API?

要调用Microsoft Graph,您需要将scope值更改为**https://graph.microsoft.com/.default**以获取访问令牌。

英文:

To access Azure DevOps APIs via Azure AD application, you need to generate jwt access token with 499b84ac-1321-427f-aa17-267ca6975798/.default scope.

I registered one Azure AD application and added API permissions like below:

如何通过 Azure 应用程序访问 Azure DevOps API?

To get authorization code, I ran below authorization request in browser before acquiring token:

https://login.microsoftonline.com/&lt;tenantID&gt;/oauth2/v2.0/authorize
?client_id=&lt;appID&gt;
&amp;response_type=code
&amp;redirect_uri=https://jwt.ms
&amp;response_mode=query
&amp;scope=499b84ac-1321-427f-aa17-267ca6975798/.default
&amp;state=12345

When I ran above request in browser, I got code value successfully in address bar like this:

如何通过 Azure 应用程序访问 Azure DevOps API?

I generated access token using authorization code flow successfully via Postman by including above code in below request:

POST https://login.microsoftonline.com/&lt;tenantID&gt;/oauth2/v2.0/token
grant_type:authorization_code
client_id: &lt;appID&gt;
client_secret: &lt;secret&gt;
scope: 499b84ac-1321-427f-aa17-267ca6975798/.default
code: &lt;paste_code_from_above_request&gt;
redirect_uri: https://jwt.ms

Response:
如何通过 Azure 应用程序访问 Azure DevOps API?

When I used above access token to call following DevOps API, I got response successfully like below:

GET https://dev.azure.com/&lt;orgname&gt;/_apis/git/repositories?api-version=2.0

Response:

如何通过 Azure 应用程序访问 Azure DevOps API?

To call Microsoft Graph, you need to change the scope value to https://graph.microsoft.com/.default while acquiring access token.

huangapple
  • 本文由 发表于 2023年6月1日 07:16:07
  • 转载请务必保留本文链接:https://go.coder-hub.com/76377820.html
  • azure
  • azure-devops
  • oauth-2.0
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定