Azure DevOps API OAuth Authorization gets “Object Moved” response

1
votes

I am able to call this end point https://dev.azure.com/${MY_ORG}/${MY_PROJECT}/_apis/build/builds/${BUILD_ID} just fine using a Personal Access Token to authenticate, while testing the application.

But for the real application I needed to use a Service Principal. I created the Service Principal, created the service connection in my Azure DevOps project, and gave the Service Principal permission for Azure DevOps API. I am able to attain the access token using this end point:

curl -d "grant_type=client_credentials&client_secret=<client_secret>&client_id=<client_id>" 
-X POST https://login.microsoftonline.com/<tenant_id>/oauth2/token

But when I use that access token to make the call to DevOps API:

curl -H "Authorization: Bearer ${TOKEN}" https://dev.azure.com/${MY_ORG}/${MY_PROJECT}/_apis/build/builds/${BUILD_ID}

I get this html response instead:

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://spsprodcus3.vssps.visualstudio.com/_signin?realm=dev.azure.com&amp;...>here</a>.</h2>
</body></html>

How is the access token supposed to be used?

1
azureoauth-2.0azure-devops
My understanding is that Azure DevOps REST APIs currently does not provide AAD service principal authentication. Which type of service connection did you use? As Martyn is already pointing to, the only way I see for now is through the delegated user scope. You will need to grant an AAD user access to Azure DevOps and then you can acquire a token for it. See github.com/microsoft/azure-devops-auth-samples/tree/master/…Carl in 't Veld

1 Answers

1
votes

The problem you have is because the access token you are passing does not have access to that resource. This will be down to one of the following things.

  • Your token is not valid for the Azure DevOps scope.
  • Your application in Azure AD does not have permissions to the API.

To validate your application in Azure AD.

  1. Sign in to the Azure Portal.
  2. On the top bar, click on your account and under the Directory list, choose the Active Directory tenant where you wish to register your application.
  3. On the left hand navigation menu, select Azure Active Directory.
  4. Click on App registrations and select New application registration from the top bar.
  5. Enter a name for you application, ex. "Adal native app sample", choose Native for application type, and enter http://adalsample for the Redirect URI. Finally click create at the bottom of the screen.
  6. Save the Application ID from your new application registration. You will need it later in this sample.
  7. Grant permissions for Azure DevOps. Click Required permissions -> add -> 1 Select an API -> type in and select Azure DevOps (Microsoft Visual Studio Team Services) -> check the box for Delegated Permissions -> click Select -> click Done -> click Grant Permissions -> click Yes.

You'll also need your token from this endpoint as per the documentation:

https://app.vssps.visualstudio.com/oauth2/authorize
        ?client_id={app ID}
        &response_type=Assertion
        &state={state}
        &scope={scope}
        &redirect_uri={callback URL}