CODEWITHSUNDEEP
oauth-2.0azure-devops-rest-apiazure-authentication
Richardweber32
Richardweber32

Reputation: 168

OAuth2 authentication for use with DevOps REST services API

I have previously completed the OAuth2 process for resources accessed via Azure AD in another project but cannot work out how to request an authorization code and token for programmatic manipulation of git repositories. The documentation on learn.microsoft.com is unclear as to which endpoints to access. For instance, it is written on pages relating to git repositories that the following URL is for the authentication code:

https://app.vssps.visualstudio.com/oauth2/authorize&response_type=Assertion

but following that link gives me an unsafe request response, and changing that & to a? gives a 500 internal server error. Similarly, the token endpoint URL doesn't appear to make any sense:

https://app.vssps.visualstudio.com/oauth2/token?client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer

I'm unsure what fields are referred to there as "client_assertion_type" but presumably, grant_type is "code"

The idea here is to be able to use Azure API to list information about repos, create new ones, modify branch policies etc etc

Upvotes: 1

Views: 949

Answers (1)

Mengdi Liang
Mengdi Liang

Reputation: 19026

Changing that & to ?

This is expect behavior, the response_type is one of query parameters which must specify ? in URL to represent the URL resource path end and the query start. & just used to separate these query parameters, it can only worked only when the ? is used in the url. That's why the server give you the 500 error, because the syntax of your query body is not available.

Here you must follow the URL syntax which listed in the doc:

https://app.vssps.visualstudio.com/oauth2/authorize
        ?client_id={app ID}
        &response_type=Assertion
        &state={state}
        &scope={scope}
        &redirect_uri={callback URL}

client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion={0}&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion={1}&redirect_uri={2}

In this request body which for get access token URL, the value of client_assertion_type is fixed to urn:ietf:params:oauth:client-assertion-type:jwt-bearer, and used to tell the client you want to get a JWT Bearer Token profile for OAuth 2.0 Client Authentication. This is a universal format of OAuth 2.0 Device Code.

The value of client_assertion is the app secret you obtained after you register your application.

Same for grant_type, this is also a OAuth parameter which indicates grant type of the token we would get is the JWT Bearer Token Grant Type which defined in OAuth JWT Bearer Token Profiles.

assertion should be the authorization code you obtained with the WebAuthenticationBroker, and redirect_uri is the one about your return url.

Upvotes: 0

Related Questions