How to authenticate to https://tfspreview.com (MIcrosoft-hosted TFS) using Java command line application?

Question

I am trying to access https://tfspreview.com SOAP interface from my command line Java app. Unlike the on-premises TFS services, this one uses Live ID authentication, which makes causes the communication to fail with a 302 redirect to their authentication service. I have no idea how to proceed with authenticating there.

Any pointers?

Answer 1

< tl;dr >

You can use Basic authentication to provide a headless experience to Team Foundation Service. Also, if you're not using the TFS SDK for Java, it may help you out.

< /tl;dr >

Generally speaking, there are three types of credentials that you can use to authenticate, and that determines the mechanism you use for authentication:

1. A Live ID. As you noted, this requires you to log in to a Windows Live with a web browser and use the resultant OAuth tokens to authenticate.

2. An additional password mapped to your Live ID, which exists for the purposes of Basic authentication. Instructions for setting up this additional mapping are available in the August 27 announcement about this feature.

3. A service account. In addition to the list of users (specified by Live ID), your Team Foundation Service account also has a special user account that it uses for things like build automation and the like. There is one service account for each Team Foundation Service account and - as the name implies - this is an administrator account.

Let's take a look at each option:

Live ID: Authenticating with a Live ID using OAuth is going to be difficult for your command-line application. What Visual Studio does here is to open Internet Explorer to tfspreview.com, which will ultimately prompt you to enter your Live ID credentials. At that point, the various OAuth cookies will get set into your web browser. Since Visual Studio and Internet Explorer share the same underlying HTTP connection mechanism, it can make use of these same cookies. With a Java command-line client, you don't have that luxury (unless you're writing this exclusively for Windows and want to write some JNI to call the system's HTTP library that is.)

So what are your options? I suppose it's possible that you could follow the redirect you're given - at which point you will eventually get a login page that you could POST your credentials to and ultimately get an OAuth cookie sent back to you that you could then use for authentication. But I suspect that this is probably not the road you want to go down, though. I strongly suspect that there's a healthy dose of JavaScript required to get you logged in.

Basic Authentication: These require an additional step in setup, but are simple and obvious. There's no reason not to use these.

Service Accounts: Lacking a web browser, though, you are able to present a WRAP token with your service credentials. You can view the service credentials for your account using the very helpful TFS Service Credential Viewer. With your service account username and password you can create a WRAP cookie to authenticate with. But at this point, you're authenticating as the service account, not one of your user accounts.

If you don't want to mess with creating WRAP tokens yourself, you can also use the Team Foundation Server SDK for Java to build a connection. Simply hand your service credentials in as UsernamePasswordCredentials when you create a TFSTeamProjectCollection. Even if you don't want to use the API methods against the server, you can get the raw HTTPClient from that connection and it will have all the necessary configuration set. Taking a dependency on the SDK will also benefit you if we add new authentication mechanisms to the Team Foundation Service in the future as the SDK's API should not change dramatically.