OAuth2 authentication for use with DevOps REST services API

1
votes

I have previously completed the OAuth2 process for resources accessed via Azure AD in another project but cannot work out how to request an authorization code and token for programmatic manipulation of git repositories. The documentation on docs.microsoft.com is unclear as to which endpoints to access. For instance, it is written on pages relating to git repositories that the following URL is for the authentication code:

https://app.vssps.visualstudio.com/oauth2/authorize&response_type=Assertion

but following that link gives me an unsafe request response, and changing that & to a? gives a 500 internal server error. Similarly, the token endpoint URL doesn't appear to make any sense:

https://app.vssps.visualstudio.com/oauth2/token?client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer

I'm unsure what fields are referred to there as "client_assertion_type" but presumably, grant_type is "code"

The idea here is to be able to use Azure API to list information about repos, create new ones, modify branch policies etc etc

1
oauth-2.0azure-devops-rest-apiazure-authentication
Hi, how the things going now? Does the below explanation is useful for you? Do you still has any puzzle about it? Feel free to leave comment here if you still has any issue.Merlin Liang - MSFT
Hello, Merlin. The below explanation makes sense but I'm not sure how to apply that information. As far as I'm aware, there is no client_id but perhaps I'm wrong about that. The confusion is likely because I have already once completed this authentication process for an application registered in the Azure Portal, whereas this is an attempt to access the DevOps API to make changes to Git Repos. I have found another way of authenticating, namely by generating a personal access token from the DevOps browser GUI. Am I right in thinking that my DevOps project is not an application?Richardweber32
How do you register the application, did you using the devops project url? Client id is the one which generated after you register the application. You will see that displayed in the page.Merlin Liang - MSFT
Could you get the client id and apply the below info successfully now? If yes, you can accept the answer. Feel free to let me know if still facing any issue or puzzle:-)Merlin Liang - MSFT
ohh, got to know. If you just want to use rest api, PAT is enough for you. Only for org level api, PAT would failed and Oauth 2.0 is the necessary one. It’s pity that you did not got the application id. After you register the application, the page wills display a application id to you, this is the value that you should insert as client id. Hope this would help you if using Oauth 2.0 is a necessary one for you in the future.Merlin Liang - MSFT

1 Answers

0
votes

Changing that & to ?

This is expect behavior, the response_type is one of query parameters which must specify ? in URL to represent the URL resource path end and the query start. & just used to separate these query parameters, it can only worked only when the ? is used in the url. That's why the server give you the 500 error, because the syntax of your query body is not available.

Here you must follow the URL syntax which listed in the doc:

https://app.vssps.visualstudio.com/oauth2/authorize
        ?client_id={app ID}
        &response_type=Assertion
        &state={state}
        &scope={scope}
        &redirect_uri={callback URL}

client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion={0}&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion={1}&redirect_uri={2}

In this request body which for get access token URL, the value of client_assertion_type is fixed to urn:ietf:params:oauth:client-assertion-type:jwt-bearer, and used to tell the client you want to get a JWT Bearer Token profile for OAuth 2.0 Client Authentication. This is a universal format of OAuth 2.0 Device Code.

The value of client_assertion is the app secret you obtained after you register your application.

Same for grant_type, this is also a OAuth parameter which indicates grant type of the token we would get is the JWT Bearer Token Grant Type which defined in OAuth JWT Bearer Token Profiles.

assertion should be the authorization code you obtained with the WebAuthenticationBroker, and redirect_uri is the one about your return url.