1

I am trying to create a PAT using the new capabilities in the TokensHttpClient. However I keep getting authorisation exception. I am using my Microsoft account which is an organization administrator.

        VssCredentials creds = new VssClientCredentials();
        creds.Storage = new VssClientCredentialStorage();

        // Connect to Azure DevOps Services
        VssConnection connection = new VssConnection(_uri, creds);
        connection.ConnectAsync().SyncResult();
        var t = connection.GetClient<TokenAdminHttpClient>();

       //next line works as expected
        var tokens = t.ListPersonalAccessTokensAsync(connection.AuthorizedIdentity.SubjectDescriptor).Result; 

        var tokenAdmin = connection.GetClient<TokensHttpClient>();
        PatTokenCreateRequest createRequest = new PatTokenCreateRequest();
        createRequest.DisplayName = "Niks_Api_Token";
        createRequest.Scope = "vso.work_full";
        createRequest.ValidTo = DateTime.Now.AddYears(1);
        //this is where authorization exception occurs
        var result = tokenAdmin.CreatePatAsync(createRequest).Result;
Nikhil
  • 3,304
  • 1
  • 25
  • 42
  • It seems you are using DevOps Application to access and create PATs. Please try to use AAD application to create PATs, you could refer to this [doc](https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/manage-personal-access-tokens-via-api?toc=%2Fazure%2Fdevops%2Forganizations%2Ftoc.json&bc=%2Fazure%2Fdevops%2Forganizations%2Fbreadcrumb%2Ftoc.json&view=azure-devops) but it uses Python. – unknown Sep 23 '21 at 13:54

1 Answers1

1

To manage personal access tokens with APIs, you must authenticate with an Azure AD token. Azure AD tokens are a safer authentication mechanism than using PATs. Given this API’s ability to create and revoke PATs, we want to ensure that such powerful functionality is given to allowed users only.

Please check the Prerequisites here.

enter image description here

  1. Make sure your org has been connect to AAD, see here.

  2. Please register an application in Azure AD, make sure the client secret has been created. You can refer to this doc. And add the permission of Azure DevOps. enter image description here

  3. The sample code to get Azure AD access token.

     public static async Task<string> GetAccessTokenAsyncByClientCredential()
 {
     IConfidentialClientApplication cca = ConfidentialClientApplicationBuilder.Create(<appId/clientId>)
        .WithTenantId(<tenantId>)
        .WithClientSecret(<clientSecret>)
        .Build(); 

      string[] scopes = new string[] { "499b84ac-1321-427f-aa17-267ca6975798/.default" };

     var result = await cca.AcquireTokenForClient(scopes).ExecuteAsync();

     return result.AccessToken;
 }
unknown
  • 6,778
  • 1
  • 5
  • 14
  • Thank you. Would you be able to share the code for ConfidentialClientApplicationBuilder? – Nikhil Sep 24 '21 at 16:03
  • 1
    It's a definited Class: https://learn.microsoft.com/en-us/dotnet/api/microsoft.identity.client.confidentialclientapplicationbuilder?view=azure-dotnet – unknown Sep 27 '21 at 06:22