0

I am writing an angular.io app that will call rest APIs in Azure DevOps. I'm using the MSAL library and it is almost working. I successfully authenticate and call the Azure DevOps API, and I see that the MSAL HTTP interceptor added a Bearer token to the request (via Chrome developer tools). 

https://dev.azure.com/my org/my project/my team/_apis/wit/wiql/my query id?api-version=5.1

Azure responds to this request with a 302 to redirect me to https://spsprodcus1.vssps.visualstudio.com/_signin. I can see that the Bearer token is sent with this request as well. That address gives me a 203 with the message:

Microsoft Internet Explorer's Enhanced Security Configuration is currently enabled on your environment. This enhanced level of security prevents our web integration experiences from displaying or performing correctly. To continue with your operation please disable this configuration or contact your administrator.

It seems like maybe my app doesn't have permission to do things in DevOps. In the app I registered for this and pointed MSAL, in "API Permissions" I gave access to "Azure DevOps (1)".

Any thoughts on what I can do about this?

--Edit

Below is what my token decodes to (with some redactions). I'm not doing anything with it, MSAL seems to take it from location header in the response to my authorize request and put it in the authorization header of my restful call (with the prefix "Bearer ").


{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "encoded Stuff",
  "kid": "encoded Stuff"
}
{
  "aud": "api://44df9afb-cf92-4965-9378-05317e85ab96",
  "iss": "https://sts.windows.net/GUID/",
  "iat": 1585087477,
  "nbf": 1585087477,
  "exp": 1585091377,
  "acr": "1",
  "aio": "encoded Stuff",
  "amr": [
    "wia"
  ],
  "appid": "id of the app I registered",
  "appidacr": "0",
  "family_name": "Rispoli",
  "given_name": "Thomas",
  "in_corp": "true",
  "ipaddr": "ip address",
  "name": "Rispoli, Thomas",
  "oid": "encoded Stuff",
  "onprem_sid": "encoded Stuff",
  "scp": "user_impersonation",
  "sub": "encoded Stuff",
  "tid": "encoded Stuff",
  "unique_name": "thomas.rispoli@cgi.com",
  "upn": "thomas.rispoli@cgi.com",
  "uti": "encoded Stuff",
  "ver": "1.0"
} Then some binary data that I assume is a nounce
Tom Rispoli
  • 1
  • 1
  • Have you checked this answer? https://stackoverflow.com/questions/33498440/why-i-get-internet-explorer-enhanced-security-error-message-in-chrome-if-i-call – Sebastian Segerer Mar 21 '20 at 22:27
  • Thanks for the answer Sebastian, I did look that article over. In my case I'm using MSAL (microsoft library for authenticating to Azure and handling tokens) so most of this is handled for me through that library. I think it is working reasonably well as it is attaching the token to my requests. So I don't have much control over how the token is made and attached unless I don't use that part of the library, but I'm hoping the issue is either that I'm using the library incorrectly, or I have something configured incorrectly on the Azure side to allow access. – Tom Rispoli Mar 22 '20 at 13:41
  • You can try to add related sites to trusted sites.For details ,please refer to [this](https://stackoverflow.com/questions/39644364/enhanced-security-error-while-visual-studio-team-services-rest-api).In addition, 203 errors are usually caused by incorrect PAT format. – Hugh Lin Mar 23 '20 at 09:10
  • Thanks for your comment Hugh, I checked the trusted sites article and set up the microsoft sites as trusted but that didn't fix it. I posted the token I am passing to DevOps, it appears to be formatted correctly to me, but I don't know the specific of what needs to be in it. – Tom Rispoli Mar 25 '20 at 13:07
  • Have you found a solution to your problem yet? I'm currently experiencing the issue in my project and I'm out of ideas on how to solve it. – yannh Jul 06 '21 at 15:01

0 Answers0