I've briefly explored the device profile sample and I see it requires user interaction. How does this app support the headless scenario then if it requires user interaction?

Maybe I'm misunderstanding headless; to me, headless means no UI and I can run the exe/job w/o any user interaction. Maybe I have the wrong interpretation of headless?

I'm trying to setup authentication against Azure DevOps using MSAL. I've followed the ManagedClientConsoleAppSample but I can't get it to work with personal Microsoft accounts. Whenever I try to login with a personal account I get the following error:

This username may be incorrect. Make sure you typed it correctly. Otherwise, contact your admin.

In the sample I have only changed ida:Tenant to "common" and ida:ClientId to my application id. I've setup my App Registration by following the guide in the sample except for the "Supported account types" which I've set to:

All users with a work or school, or personal Microsoft account can use your application or API. This includes Office 365 subscribers.

What am I doing wrong or missing?

Can we have some specific guidance on how to use the client libraries if we already have a PAT token.

I can see VssOAuthToken/Credential but there's no sample code and I don't see how to make a VssConnection if I'm starting with a PAT token.

I'm working on a library project that needs to automate the creation of branches and pull requests so I'm going to be starting with a PAT or OAuth token depending whether I'm invoked from the command line or as a VSTS task

Shouldn't this should be using something like...

var vssConnection = new VssConnection(,,,,);  // any overload that does not assume the user has a PAT already
var projectClient = _vssConnection.CurrentConnection.GetClient<ProjectHttpClient>();
var projects = await projectClient.GetProjects();

?

Following this guide: https://github.com/microsoft/azure-devops-auth-samples/blob/master/OAuthWebSample/README.md
I was able to create an application and authorize it to access ADO on behalf of me with the following scopes: vso.code_manage vso.project
When I generate a bearer token, I can see nameid claim value equal to my userId.

However, when I use the token - I get either 401 through Rest APIs (calling https://dev.azure.com/microsoft/_apis/projects), or using the following code:

string token = "<bearer_token>";
string patToken = "<pat_token>";

VssOAuthAccessTokenCredential credentials = new VssOAuthAccessTokenCredential(token);
//VssCredentials credentials = new VssBasicCredential(string.Empty, patToken);

// Connect to Azure DevOps Services
VssConnection connection = new VssConnection(new Uri(c_collectionUri), credentials);

Console.WriteLine(connection.AuthorizedIdentity.DisplayName);

I get the following exception:
Microsoft.VisualStudio.Services.Common.VssUnauthorizedException: 'TF400813: The user ' is not authorized to access this resource. '

If I use the commented VssCredentials with PAT token with the same scope - I'm able to call both the Rest API and use this code.

In the ManagedClientConsoleAppSample, I successfully set up the app in Azure AD and changed the azureDevOpsOrganizationUrl, clientId, and replyUri to those specified in the instructions.

The AD authentication window appears and an AuthenticationResult is returned.

However, the call in the ListProjects method returns a response with a NotFound StatusCode. Is the URI on the client.GetAync method call correct or is there some other problem.

Earlier I tried using the DeviceProfileSample and successfully received a list of projects from the Azure DevOps API end point, but now that sample project also returns a NotFound StatusCode.

Theres any way to setup oauth in a spa but without adal, just with any js library for oauth2 or openid connect?

if yes, there's any sample?

Only getting timeouts when I get to the acquireToken function. Not only in my own code but also when trying to utilize this example code.

Where am I getting the VSTS Resource ID from? I'm not seeing a clear mapping on where I'm getting this value from AAD.

My AAD login works as expected however, I have zero access to VSTS.

Following on from #87 which implements advice given in #70:

I believe I have filled in web.config correctly, using the following values, and constructing my callbackurl from my site url + "oauth2/callback"

I've created an App Registration and Published my app to it. I'm now getting Error 400:

Anyone any ideas that I can add to #87 ?

Please add the following before using HttpClient to request from https://app.vssps.visualstudio.com/oauth2/*

System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;

I've placed in Global.asax.cs which worked for me.

Is there any documentation on how agent variable $(system.accessToken) value can be validated in custom API? the JWT contains x5t header however with no location of issuer signing keys, it cant be validated.
The token contains values like this but where can we get issuer signing keys in this case? the issuer is app.vstoken.visualstudio.com
Does anyone know what is endpoint for openid configuration for this endpoint?
should have something like /.well-known/openid-configuration

I cloned the repo, ran NPM, created an app ID as described, and ran the app. Login completes successfully. However, when I click the "Call DevOps Rest API" button, nothing happens except an error in my chrome Windows that says:

ServerError: invalid_client: AADSTS650057: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: [redacted]. Resource value from request: 499b84ac-1321-427f-aa17-267ca6975798. Resource app ID: 499b84ac-1321-427f-aa17-267ca6975798. List of valid resources from app registration: 00000003-0000-0000-c000-000000000000.
Trace ID: c9a71cf7-bc64-446e-80f0-b9dc47c35600
Correlation ID: ca198b06-4d06-4d45-8dfa-835540dd27ea
Timestamp: 2022-04-22 20:18:07Z

Is there a missing documentation step where I'm supposed to grant my app permissions to access resource 499b84ac-1321-427f-aa17-267ca6975798? How would I do that?

Have updated App.config as mentioned in README.md.
When I ran the csproj, after authorising the app to our DevOps site, it still says "Something went wrong".
Can be easily re-produced.

Here's the error:

Message: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

Hello, I cloned the OAuthWebSample and changed the values to my values.

Error:

The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.

Requested URL: /oauth/callback

Hi!

I've configured my app based on the readme, but I'm getting this error (I have replaced the TENANT_NAME to my tenant):

Access to fetch at 'https://dev.azure.com/{TENANT_NAME}/_apis/projects?api-version=4.0' from origin 'http://localhost:8081' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Could anyone help me how they solved this issue? Where should I enable the localhost origin?

Regards,
Tamas

The "For more information click here" link is broken in the readme file.

Hey there,

I was wondering what is supposed to be the expected response when making a PATCH request with an expired bearer token on api version 5.0.

The response body I am getting is:

{
  "eventId": 3000,
  "$id": "1",
  "errorCode": 0,
  "typeName": "Microsoft.TeamFoundation.Framework.Server.UnauthorizedRequestException, Microsoft.TeamFoundation.Framework.Server",
  "innerException": null,
  "message": "TF400813: The user '' is not authorized to access this resource.",
  "typeKey": "UnauthorizedRequestException"
}

with a 401 status code. I ask because this is different from a POST and GET request where we receive a 203 status code when the access token is expired.

Here's a thread with Azure DevOps Support for more context: https://developercommunity.visualstudio.com/content/problem/972334/inconsistent-tf400813-the-user-is-not-authorized-t.html

I'm currently having issues with the Javascript Web App Sample due to the azureDevOpsApi variable not being used during the HTTP Get request in the getCurrentUserInfo function.

I'd like to make a pull request to ensure the variable vstsApi is changed to azureDevOpsApi.

The DeviceProfileSample sample results in a 404 not found. What am I doing wrong?

When I use the following I get results using the same identity for retrieving an access token through a device code:

az login --use-device-code
az rest --method get --url "https://dev.azure.com/myorgname/_apis/projects?api-version=2.2" --resource 499b84ac-1321-427f-aa17-267ca6975798

App registration manifest:

{
	"id": "someguid-a89c-430f-8179-024b9be5cd1f",
	"acceptMappedClaims": null,
	"accessTokenAcceptedVersion": null,
	"addIns": [],
	"allowPublicClient": true,
	"appId": "someguid-d10b-46d5-908f-60b0bb4b3e66",
	"appRoles": [],
	"oauth2AllowUrlPathMatching": false,
	"createdDateTime": "2021-11-28T15:51:11Z",
	"certification": null,
	"disabledByMicrosoftStatus": null,
	"groupMembershipClaims": null,
	"identifierUris": [],
	"informationalUrls": {
		"termsOfService": null,
		"support": null,
		"privacy": null,
		"marketing": null
	},
	"keyCredentials": [],
	"knownClientApplications": [],
	"logoUrl": null,
	"logoutUrl": null,
	"name": "PAT API Test App",
	"oauth2AllowIdTokenImplicitFlow": false,
	"oauth2AllowImplicitFlow": false,
	"oauth2Permissions": [],
	"oauth2RequirePostResponse": false,
	"optionalClaims": null,
	"orgRestrictions": [],
	"parentalControlSettings": {
		"countriesBlockedForMinors": [],
		"legalAgeGroupRule": "Allow"
	},
	"passwordCredentials": [],
	"preAuthorizedApplications": [],
	"publisherDomain": "mytenant.onmicrosoft.com",
	"replyUrlsWithType": [],
	"requiredResourceAccess": [
		{
			"resourceAppId": "499b84ac-1321-427f-aa17-267ca6975798",
			"resourceAccess": [
				{
					"id": "ee69721e-6c3a-468f-a9ec-302d16a4c599",
					"type": "Scope"
				}
			]
		},
		{
			"resourceAppId": "00000003-0000-0000-c000-000000000000",
			"resourceAccess": [
				{
					"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
					"type": "Scope"
				}
			]
		}
	],
	"samlMetadataUrl": null,
	"signInUrl": null,
	"signInAudience": "AzureADMyOrg",
	"tags": [],
	"tokenEncryptionKeyId": null
}

I have a web app using AAD that allows us login with microsoft account. In Program.cs I replaced the $username and $password with that of my account and replaced $aadApplicationId with id at here:

Yet when the program runs to this line

var result = authenticationContext.AcquireTokenAsync(VstsResourceId, aadApplicationID, adalCredential).Result;

an exception is thrown:
AdalServiceException: AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'. Trace ID: 6ff59af0-9185-4f64-a5f4-fc1331c30300 Correlation ID: d8914c45-f234-4b3e-913c-dc7bfe647374 Timestamp: 2018-06-07 13:12:59Z

Hi,
I'm having an issue with Devops auth from a pipeline that I cannot find a solution for in these samples.

This is the situation:

• Using Azure (cloud) Devops
• Local build agent on Windows 10
• The pipeline executes (via MsBuild) a .NET 4.8 command line executable that queries Devops for work items.
• Pipeline has authorization scope "Project collection" and "Allow scripts to access the OAuth token" enabled.

I would expect something like this to work:

var accessToken = Environment.GetEnvironmentVariable("SYSTEM_ACCESSTOKEN");
var creds = new VssOAuthAccessTokenCredential(accessToken);
var uri = new Uri("https://dev.azure.com/" + orgName);
using (var httpClient = new WorkItemTrackingHttpClient(uri, creds))
{
  var query = await httpClient.GetQueryAsync(project, queryPath, null, 2); // TF401243: The query ... does not exist, or you do not have permission to read it
}

Using the same token with WebClient works fine:

var url = <url-to-image-in-work-item>
using (var client = new WebClient())
{
    client.Headers.Set("Authorization", "Bearer " + accessToken);
    client.DownloadFile(url, path); // OK
}

What am I doing wrong?
Note the error is TF401243 rather than VS30063. Does the build service not have access to work items?

I followed the instructions in README.md for setting up JavascriptWebAppSample. The application fails and outputs the following error:
ERROR:
AADSTS70005: response_type 'token' is not enabled for the application

https://github.com/microsoft/azure-devops-auth-samples/blob/master/ManagedClientConsoleAppSample/Program.cs#L14

internal const string azureDevOpsOrganizationUrl = "http://dev.azure.com/organization"; //change to the URL of your Azure DevOps account; NOTE: This must use HTTPS

The comment says that https must be used, but the value uses http.

If you get don't change the sample, you get a cryptic 203 response from the server.

Also, there should be a trailing slash, or you will get a 404 from the server when it tries to combine the URIs, as described in #41

I followed the instructions here and was surprised that the CLIENT_SECRET was not only written to disk in plain text, but was written to the source code directory in a file that is already tracked by source code.

In the ManagedClientConsoleAppSample/README.md, it says:

azureDevOpsOrganizationUrl - update this with the url to your Azure DevOps/TFS collection, e.g. http://dev.azure.com/organization for Azure DevOps.

When I am just updating the organization URL in the mentioned format, I get an unsuccessful NOT FOUND response, when the HttpClient is trying to GetAsync.

The reason is, that the HttpClient.GetAsync combines the BaseAddress with the relative request URI without the Organization name, when there is a slash missing behind the URL of azureDevOpsOrganizationUrl!

This was not possible to happen in the vsts URL before, as the organization name was part of the FQDN at that time, so this problem was introduced by the switch to dev.azure.com.

(Also, the new URI statement around the URL when setting the BaseAddress does unfortunately also not ensure, that there is a trailing slash at the end of the BaseAddress afterwards.)

Suggesting to fix README containing the trailing slash and mention, that it is important. Also, e.g. update Program.cs like:

internal const string azureDevOpsOrganizationName = "organization"; //change to the (URL-)name of your Azure DevOps organization;
internal static string azureDevOpsOrganizationUrl = $"https://dev.azure.com/{azureDevOpsOrganizationName}/"; // NOTE: This must use HTTPS and trailing slash is required

Hi,

I've downloaded the latest version of Oauth Sample and followed the setup steps.
I get a callback with the authorization code okay, but the call to get the token from the code always fails with a webexception: "The remote server returned an error: (400) Bad Request."

Here is the request to get the token which is failing(the token and app name below are fake):

client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=ey0......iOiJSUI1NiIs&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=eyJ0...........XG-MLE9_w&redirect_uri=https://myapp-staging.azurewebsites.net/oauth/callback

and the Content-Type used is application/x-www-form-urlencoded as instructed.

Please advise.

Thanks,
SS

Deprecation announcement: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363

https://github.com/microsoft/azure-devops-auth-samples/blob/master/DeviceProfileSample/README.md has a broken link (404):

https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-deviceprofile/?v=17.23h

I searched but couldn't find an appropriate 1:1 replacement.

DeviceProfileSample/Program.cs and ManagedClientConsoleAppSample/Program.cs have the following code:

// check to see if we have a succesfull respond
if (response.IsSuccessStatusCode)
{
    Console.WriteLine("\tSuccesful REST call");

Which should be:

// check to see if we have a successful respond
if (response.IsSuccessStatusCode)
{
    Console.WriteLine("\tSuccessful REST call");

ClientLibraryPatAppSample not working

Hi,

I downloaded and followed the instructions and when I tried running am getting the below error.

Microsoft.VisualStudio.Services.Client.Controls.BrowserFlowException: 'SP324091: You are not authorized to access our service.'

file : azure-devops-auth-samples-master\ClientLibraryConsoleAppSample\Program.cs

I'm developing a .Net 5 Console App to automate some actions on Azure DevOps WorkItems.

As my authorization isn't working I started ClientLibraryConsoleAppSample to get a hint was is wrong.

The current version is running as net452 and all is working but when I change the TargetFramework to netcoreapp2.0 or to net5.0 I get an error:

Unhandled Exception: System.AggregateException: One or more errors occurred. (VS30063: You are not authorized to access https://dev.azure.com.) ---> Microsoft.VisualStudio.Services.Common.VssUnauthorizedException: VS30063: You are not authorized to access https://dev.azure.com.
   at Microsoft.VisualStudio.Services.Common.VssHttpMessageHandler.<SendAsync>d__17.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.VisualStudio.Services.Common.VssHttpRetryMessageHandler.<SendAsync>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
   at System.Net.Http.HttpClient.<FinishSendAsyncBuffered>d__58.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.<SendAsync>d__51.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.<SendAsync>d__47`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.<SendAsync>d__28`1.MoveNext()
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   at ClientLibraryConsoleAppSample.Program.Main(String[] args) in d:\Repos\vsts-auth-samples\ClientLibraryConsoleAppSample\Program.cs:line 27

C:\Program Files\dotnet\dotnet.exe (process 67652) exited with code -532462766.

I think, it is a big disadvantage to not have the .NET Client Library Microsoft.TeamFoundationServer.Client included in the OAuthWebSample. That makes things soo much more simple.

The following is the only missing code, once the access token is retrieved. Please update the sample.

VssOAuthAccessTokenCredential credentials = new VssOAuthAccessTokenCredential(AccessToken);
VssConnection connection = new VssConnection(new Uri("https://dev.azure.com/[your org]"), credentials);
var client = connection.GetClient<ProjectHttpClient>();
var projects = client.GetProjects().Result;

Of course, you also need to add the nuget package Microsoft.TeamFoundationServer.Client to your web project first.

In the file azure-devops-auth-samples/ManagedClientConsoleAppSample/Program.cs
//============= Config [Edit these with your settings] ===================== internal const string azureDevOpsOrganizationUrl = "http://dev.azure.com/organization"; //change to the URL of your Azure DevOps account; NOTE: This must use HTTPS internal const string clientId = "872cd9fa-d31f-45e0-9eab-6e460a02d1f1"; //change to your app registration's Application ID, unless you are an MSA backed account internal const string replyUri = "urn:ietf:wg:oauth:2.0:oob"; //change to your app registration's reply URI, unless you are an MSA backed account //==========================================================================
Where can I get clientId and replyUri ?, I'm using your information, and it works. So I want to change to my information. Please help.

It appears there is an incomplete attempt to port it to .NET Core but that won't work ([interactive isn't supported yet on .NET core)[https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/issues/879].

To get it to work I needed to:

• Remove the netcoreapp2.0 target
• Include package Microsoft.VisualStudio.Services.InteractiveClient (despite step 3 of the readme saying it was in place)
• Remove the parameterless constructor call for PlatformParameters
• Change the base URL to be https.

(The last point took a while to find: getting unauthorised responses after authorising isn't the greatest diagnostic.)

Sample code really should be ready to run!

I'm trying to create a VssConnection in an Azure Function, but I am presented with the below error after trying to invoke it:

Microsoft.VisualStudio.Services.WebApi: Method not found: 'Newtonsoft.Json.JsonSerializerSettings System.Net.Http.Formatting.BaseJsonMediaTypeFormatter.get_SerializerSettings()'.

public override void Configure(IFunctionsHostBuilder builder)
        {
            builder.Services.AddTransient(x =>
            {
                var url = "<URL>";
                var pat = "<PAT TOKEN>";
                var credentials = new VssBasicCredential(string.Empty, pat);
                return new VssConnection(new Uri(url), credentials);
            });
        }

I also tried doing it without DI and got the same issue.

Function Runtime: 3.0.2009
Target Framework: dotnet core 3.1
OS: Mac Catalina

I tried the ManagedClientConsoleAppSample. I created an AAD application und wanted to set required permissions to Azure DevOps API. But which API must I use? When looking for Azure DevOps API there are listed many Azure DevOps APIs.

Hi Team,

I have cloned the below Solution and tried the OAuthWebSample solution by replacing with my Values which i have registered.

Starting when i have started the solution with my values i have Authorized the Application and i have not got any authorization Code and state for me to create a token.

In the Code the Callback method is accepting Code and state as parameters and i tried many times after me authorizing the app and i am getting two different error.

1. on completion of authorization its redirecting to the This site cant provide a secure connection and displaying as below in the address bar https://localhost:43742/OAuth/Callback?error=InvalidScope

2)Can anyone please clarify me on the Callback URL what should be mentioned because in the solution screen it was mentioned https://yoursite.azurewebsite.net/OAuth/CallBack. Should we need to maintain the callback URL in the same manner where we need to include AzureWebSite.Net in my application URL?

3. For the first time users we will be allowing them to authorize the APP. after that how we need to achieve the token creation in the callback functionality?

I am new to this OAuth Authentication can anyone guide me in the right direction of how i can upgrade my application from removing the PAT token authentication to OAUTH Bearer token authentication. Hoping for a faster reply.

Thanks,
Deepak

In Index.cshtml from OAuthWebSample solution (and project) we have: <p><a href="/oauth/requesttoken" class="btn btn-primary btn-large" >Authorize &raquo;</a></p>

But OAuthController doesn't have requesttoken action.

Steps:

1. Take the latest Sample code
2. Update OAuthWebSample config file with correct app Id, secrets etc after registering app
3. Run OAuthWebSample on Visual studio IIS express
4. Click on "Authorize" button on the home page ( to get the token )

Result: Browser fails to get resource
/oauth/requesttoken

****Server Error in '/' Application.
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.

Requested URL: /oauth/requesttoken

Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.7.3282.0****

I'm building a Windows Service project running .netcore3.1 that extracts some backlog items.
Running on VisualStudio (debug and release mode) works fine.

After deploying, and installing the service using SC CREATE I've got the message: "Microsoft.VisualStudio.Services.Common.VssUnauthorizedException: TF400813: The user 'MyDomain\MyComputer$' is not authorized to access this resource."

But I'm using the same PAT and the same URL.

Here is the code that I'm using:

var creds = new VssBasicCredential(string.Empty, "My PAT");
var collectionUrl = new Uri("The collection URL");
var connection = new VssConnection(collectionUrl, creds);
var witClient = await connection.GetClientAsync<WorkItemTrackingHttpClient>();

The exception is thrown when connection.GetClientAsync is called.

Any ideas on why it is working running on Visual Studio but not as a Windows Service?

Thanks

I am getting the error when i access build information in my tfs account.

API resource {id} is not regustered on {uri}

Do i need to reguster somthing?

Could we get an updated example using asp.net core 2.2 or 3.0 for oAuth? The webforms example is a bit out of date compared to the differences in asp.net core.