0

If we have an API that accepts a PAT for auth and if we pass System.AccessToken in the header (Authorization) from an AzureDevOps release task when calling this API, what's the suggested way to validate this token on the API side?

MAK
  • 307
  • 2
  • 12

1 Answers1

0

System.Accesstoken is secret. If you want to access a secret variable, you could print it to a file. Check the example below:

steps:
- powershell: |
   $env:var1 | Out-File C:\Users\xxx\Desktop\Newfolder\debug.txt
   
   
  displayName: 'PowerShell Script'
  env:
    var1: $(System.AccessToken)

But System.Accesstoken is a PAT token generated for the service identity “Project Collection Build Service (account)”, it should be valid. Generally, it's not needed to verify the value of System.AccessToken.

If you want to print the value of System.AccessToken to a file, you need to check the Allow scripts to access the OAuth token in the agent job:

enter image description here

Cece Dong - MSFT
  • 29,631
  • 1
  • 24
  • 39
  • Thanks. My question, when my API is called with a PAT, how do I ensure it's actually System.AccessToken (i.e PAT for Project collection Build service) and not something else? – MAK Oct 26 '20 at 06:58
  • When you select `Allow scripts to access the OAuth token` check box, you have enabled your script to use the build pipeline OAuth token. What you need to do is selecting `Allow scripts to access the OAuth token` check box. – Cece Dong - MSFT Oct 26 '20 at 07:30
  • I think you are not understanding my question clearly. I understand the point about selecting that option in the agent job. From the API point of view, it accepts any PAT token but if it is anything other than system.accesstoken it should fail. I'm asking how to validate if the token received in the header is actually a valid system.accesstoken from the server side? – MAK Oct 27 '20 at 05:41
  • Do you mean you want to compare the PAT in your api with `system.accesstoken`? Could you just use `system.accesstoken` in your API? `System.Accesstoken` is a PAT token generated for the service identity “Project Collection Build Service (account)”. It is not possible to change this service identity's PAT to any other user identity's PAT. – Cece Dong - MSFT Oct 27 '20 at 10:07
  • What I need is when my API is called with a token, I want to ensure it is a PAT token generated for Project collection Build service account. For any other PAT, the API should immediately return error. My question, how can i check if the PAT is generated for that build identity account? – MAK Oct 28 '20 at 17:39
  • We are not able to check the PAT is generated for which account, if the PAT has appropriate scope, the api would work. If you only want to use OAuth token, you can just use `system.accesstoken` in your api, `system.accesstoken` can be OAuth token only, it won't be other PAT. – Cece Dong - MSFT Oct 29 '20 at 09:08
  • Sorry I still didn't understand the second part - "If you only want to use OAuth token, you can just use system.accesstoken in your api, system.accesstoken can be OAuth token only, it won't be other PAT." - My question is what's the right way to validate this OAuth token on the API side when it is called with that token? – MAK Oct 30 '20 at 20:26
  • Also I thought System.AccessToken is a PAT for the Project Build collection identity? Is it not the case? What's the difference between that and an OAuth token in this case? – MAK Oct 30 '20 at 20:27
  • `system.accesstoken` is an OAuth token, which is generated automatically for the service identity “Project Collection Build Service (account)” when you enable `Allow scripts to access the OAuth token`. This token will be expired in 48h once generated, you don't need to verify the value of `System.AccessToken`. – Cece Dong - MSFT Nov 02 '20 at 04:14