0

With a CMS system where the content is stored in JSON files we want to use a repo to track and approve changes. When an editor makes a change we would like the server to be able to commit and push the changes to the repo, and then create a pull request. We want to be able to do this with a service account, not the editor's account.

I thought I'd be able to create an Azure AAD app registration so I could create an oauth2 bearer token to use with my api request, but I don't see how to give that account access to the repo. The portal has an API permissions item where I can give my app permissions to Azure DevOps, but it is only user impersonation/delagated permissions, the option to provide permissions to the application itself is disabled.

Is it possible to do what we are trying to do?

UPDATED: Things I've tried

1) I created an AAD App and created a secret for that app so I could use the appId and secret to get a bearer token. I then tried to add API permissions to DevOps for my app but it only allows me to create delegated permissions as application permissions is disabled. I feel if I could give the neccesary permissions to this app I'd have the problem solved.

2) I've attempted to find a way in DevOps and Repos to allow my AAD app access, but the app does not appear anywhere I've looked. All I see is users and groups and my app does not appear in either of those lists.

3) I've registered an app at https://app.vsaex.visualstudio.com/app/register and have an appId and secret. I'm skeptical about this because it required a callback url and I'm trying to use client_credentials. When I attept to obtain a token with this appId and secret and calling https://app.vssps.visualstudio.com/oauth2/token, the service returns a 400 error. My POST to request a bearer token included the payload client_id={the clientId}&client_secret={the secret}&grant_type=client_credentials and a content type of application/x-www-form-urlencoded. The same code succeeds when I set the url to https://login.microsoftonline.com and use the AAD appId and secret, but that identity does not have access to DevOps for reasons discussed above.

4) I've reviewed the samples at https://github.com/microsoft/azure-devops-auth-samples but most of those are interactive and won't meet the requirements.

Tim Heikell
  • 11
  • 3

1 Answers1

0

If you donot want to use the editor's account. You can just create a Personal Access Token, and select the full Code scope for this token. Then you can use this Person access token to make api request to azure devops server. You can check the detailed steps here to create Person access token.

enter image description here

Below is a powershell script example to call azure devops api. Here it is in C# using the HttpClient class.

$url = "https://dev.azure.com/{org}/{proj}/_apis/...."

$connectionToken="Personal Access Token"

$base64AuthInfo= [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$($connectionToken)"))

$result = Invoke-RestMethod -Uri $url -Headers @{authorization = ("Basic {0}" -f $base64AuthInfo)} -Method get

You can also try creating a dummy user to add it in your organization, Thus you can use this dummy user account to perform above actions.

If you want to Authorize access to REST APIs with OAuth 2.0. You have to follow the authorization flow use callback url to get the authorization code.

client_credentials authorization flow is for azure and not available for azure devops.

Levi Lu-MSFT
  • 27,483
  • 2
  • 31
  • 43
  • I was trying to avoid using a PAT because I thought it had to be tied to a user account. After some discussion we feel we should be able to create a service account which can be used to generate a PAT. We're working that angle now. Thanks. – Tim Heikell Dec 26 '19 at 21:21
  • @TimHeikell Any updates on your approach with using a service account for pushing changes to the Git repository? We are also discussing possible solutions to handle machine-to-machine communication with Azure DevOps without being tied to a "real" user! – Mike1991 Mar 10 '20 at 17:42