Azure Devops Access with Azure AD client credential grant flow

2
votes

I have successfully authenticated with Azure AD and received an access token. And I have given Azure AD App API permissions to Access Azure DevOps

I am using RestSharp Http Client do authenticate 

var client = new RestClient("https://login.microsoftonline.com/{tenant}/oauth2/token");
            var request = new RestRequest("", Method.POST);
            request.AddParameter("grant_type", "client_credentials");
            request.AddParameter("client_id", "00000f-0000-00-00-000000");
            request.AddParameter("client_secret", "][M.&*******?*_5z)y${*[)");
            request.AddParameter("resourse", "https://tenant.onmicrosoft.com/4815c06b-7e28-4f88-9dc8-8fe3354d5909");
            IRestResponse response = client.Execute(request);
            var content = response.Content; // raw con

I am happy up to this point. What I can't figure out is how to use the access token to access Azure DevOps What I have tried thus far

 var client = new RestClient("https://app.vssps.visualstudio.com/oauth2/token");
        var request = new RestRequest("", Method.POST);
        request.AddParameter("client_id", "My APP code here";
        request.AddParameter("client_secret", "My ap secret here");
        request.AddParameter("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
        request.AddParameter("client_assertion", "access token here");
        request.AddParameter("grant_type", "authorization_code");

The error I am receiving is "{\"Error\":\"unsupported_grant_type\",\"ErrorDescription\":\"grant_type must be the ietf jwt-bearer type or refresh_token\"}"

What am I missing?

2
c#azureoauth-2.0azure-devopsazure-active-directory

2 Answers

1
votes

Based on my knowledge, client credential is not supported. If we want to access Azure Devops API with Azure AD credential, we need to create an Azure AD native application and assign permission to the Azure AD application

enter image description here

After that we also need to connect the Azure Devepops account to the Azure AD.

Input the address in the browser and input the username and password then you could get the authorization_code

Get authorization_code

https://login.microsoftonline.com/{tenantId}/oauth2/authorize?resource=499b84ac-1321-427f-aa17-267ca6975798&client_id={applicationId}&response_type=code&redirect_uri={redirecturl}

Get access token

POST login.microsoftonline.com/e4c9ab4e-bd27-40d5-8459-230ba2a757fb/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Body
resource=499b84ac-1321-427f-aa17-267ca6975798&client_id={clientid}&grant_type=authorization_code&code=AQABAAIAAA..&redirect_uri={redirectUrl}

enter image description here

Then we could use the access token to access the Azure Devops API.

We could get more detail steps and C# demo code from this link.

-1
votes

If you have got the access_token,then you can use the access_token to access the web api resources,there is a sample for reference.

GET /data HTTP/1.1
Host: service.contoso.com
Authorization: Bearer
"your concrete access_token"

You can click this link to see it in detail,hope it benefit.