How to get user token silently for Azure DevOps and use it for accessing DevOps REST APIs?

0
votes

Problem Statement: I'm trying to create a module in C# console application that I intend to plug and use in Azure Bot once it is operational. I want to connect my bot with Azure DevOps. I am able to do that with PAT token but I need the bot to only display the resources from DevOps on which the logged in user has access.

Attempts:

  • I am able to get the necessary details using PAT token. It gives me all projects irrespective of the logged in user details.
  • I have tried to use the Azure AD token for the logged in user but it gives me unauthorized error on trying to use it to invoke Azure DevOps REST APIs
  • Referred this article but I am unable to get the auth code or token silently.

To summarize, I'm basically looking to:

  • Obtain a user token for Azure DevOps silently (without user confirming with a click)
  • Use REST APIs to fetch details like projects, work items etc.
1
c#azureazure-devopsazure-bot-service

1 Answers

1
votes

A Personal Access Token inherits the permissions from the user that created it. So if you, as a project collection administrator, create a token, that token has the samwe permissions as you do.

Unfortunately there is no public REST API that you can use to create a token at runtime. They have to be created by a logged in user through the portal.

Another option is using OAuth. OAuth asks the user to login and then gives you a token that you can use in the REST APIs. Unfortunately that doesn't meet your criteria where a user doesn't have to do anything,

The only other way I see is adding the users to the resources they have permissions for. Then from your REST API you can use the admin PAT to check their permissions and then retrieve only what they are allowed to see. Which also isn't really pretty :-(