Menu
I'm writing a Blazor web app to pull pipeline data from Azure DevOps. Up until now I've been using a PAT for the access, but I want users to be able to use their Azure AD account for the access instead of a PAT. I've added the Azure AD authentication via the Microsoft.AspNetCore.Authentication.AzureAD.UI library so that you have to log in with your Azure AD account to access the site, and that works.
Now that I have them logged in, I want to use that login for the VssConnection used to make the calls to the REST APIs. Currently I'm using a personal access token like this:
VssCredentials vssCredentials = new VssBasicCredential(string.Empty, PAT);
VssConnection vssConnection = new VssConnection(new Uri($"https://dev.azure.com/{Org}"), vssCredentials);
How do I change that to utilize the Azure AD login they are using so that they don't need to provide the PAT?
UPDATE
I think I'm really close on this. I found a library on Github called Microsoft.Identity.Web which appears to do what I want. I think I'm just struggling to understand how do make the calls with the right scopes. So in my startup I now have:
services.AddMicrosoftIdentityPlatformAuthentication(Configuration)
.AddMsal(Configuration, scopes)
.AddInMemoryTokenCaches();
where "scopes" is an array of strings. And later I have:
string token = await _tokenAcquisition.GetAccessTokenOnBehalfOfUserAsync(scopes);
where _tokenAcquisition is an ITokenAcquisition from Microsoft.Identity.Web. And again, scopes is an array of strings. I'm not sure what scopes I'm supposed to use for the two calls. In my application registration in Azure Portal, I have
So what scopes do I use for the call in Startup, and what do I use in the call later to get the token? I've tried so many options that I can't even mention them all. Some fail on the call in Startup. Some fail in the token acquisition. Some get all the way through and then tell me I can't access dev.azure.com. Any help would be GREATLY appreciated.
675
Currently, Azure DevOps doesn't provide OAuth library for the Asp.net Core web app. You can refer the exits authentication samples from link below:
Choosing the right authentication mechanism
However we can implement OAuth 2.0 ourselves by following Authorize access to REST APIs with OAuth 2.0. You need to put a sign-in button on the web page and compose the authorization request by the apps you register for Azure DevOps, and handle the response and get the access token. After that you can use the token to call the Azure DevOps REST.
The OAuth for Azure DevOps is different with authentication using Azure AD, it is separate OAuth provide by Azure DevOps directly. Below is the different authorization and token url between Azure DevOps and Azure AD:
Azure DevOps(OAuth 2.0)
Authorize URL: https://app.vssps.visualstudio.com/oauth2/authorize
Access Token URL: https://app.vssps.visualstudio.com/oauth2/token
Azure AD(OAuth Code Grant flow)
Authorize URL: https://login.microsoftonline.com/{tenant}/oauth2/authorize
Access Token URL: https://login.microsoftonline.com/{tenant}/oauth2/token
I would suggest you vote and leave your feedback from oAuth for DevOps from Asp.Net Core app (3.0) if you like Microsoft provide the authentication library and code sample for Asp.net Core.
170
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
