使用 oAuth 访问 Azure DevOps REST API [英] Access Azure DevOps REST API with oAuth
问题描述
我已使用Azure DevOps"权限在 AzureAD 中创建了我的应用程序.
I have created my application in AzureAD with the permission "Azure DevOps".
下面是我从 Azure DevOps 中获取项目列表的代码
Below is my code to fetch project list from Azure DevOps
using (HttpClient client = new HttpClient())
{
HttpRequestMessage requestMessage = new HttpRequestMessage(HttpMethod.Post, "https://login.microsoftonline.com/21d63aec-6502-4638-98f3-04587e69d53b/oauth2/v2.0/token");
requestMessage.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
Dictionary<String, String> form = new Dictionary<String, String>()
{
{ "grant_type", "client_credentials" },
{ "client_id", "ac313ad2...." },
{ "scope", "https://app.vssps.visualstudio.com/.default" },
{ "client_secret", "BX0RldhqL...." }
};
requestMessage.Content = new FormUrlEncodedContent(form);
HttpResponseMessage responseMessage = client.SendAsync(requestMessage).Result;
if (responseMessage.IsSuccessStatusCode)
{
String body = responseMessage.Content.ReadAsStringAsync().Result;
JsonConvert.PopulateObject(body, tokenModel);
}
}
using (ProjectHttpClient projectHttpClient = new ProjectHttpClient(new Uri("https://dev.azure.com/AlfabetChennaiDev"), new VssOAuthAccessTokenCredential(tokenModel.AccessToken)))
{
IEnumerable<TeamProjectReference> projects = projectHttpClient.GetProjects().Result;
}
但我收到错误消息,因为您无权访问 https://dev.azure.com."
But I'm getting error as "You are not authorized to access https://dev.azure.com."
我正在使用 oAuth 2.0 客户端凭据流来获取访问令牌.可能是什么原因
I am using oAuth 2.0 Client Credential flow to get access token. What could be the reason
推荐答案
通常,当您希望应用程序代表调用用户与 Azure DevOps API 通信而无需提示输入用户名时,您会使用 REST API 使用 oAuth和密码每次.为此,用户需要授权应用程序代表他们与 Azure DevOps API 通信.
Typically you'd use the REST API using oAuth when you want your application to communicate with Azure DevOps API on behalf of the calling user without having to prompt for usernames and passwords each time. To do this, the user will need to authorize the application to communicate to the Azure DevOps API on their behalf.
在高层次上,您调用授权"端点并提供回调.回调必须是您应用程序中的安全网址 (https):
At a high-level, you call the "authorize" endpoint and provide a callback. The callback must be a secure url (https) in your application:
https://app.vssps.visualstudio.com/oauth2/authorize
?client_id={app ID}
&response_type=Assertion
&state={state}
&scope={scope}
&redirect_uri={callback URL}
假设用户接受授权,Azure DevOps 会使用 URL 中的授权代码重定向到您的回调位置.
Assuming the user accepts the authorization, Azure DevOps redirects to your callback location with the authorization code in the URL.
https://fabrikam.azurewebsites.net/myapp/oauth-callback
?code={authorization code}
&state={state}
获取访问令牌
现在您的应用程序已获得授权,您需要获取访问令牌:
Obtain an Access Token
Now that your application is authorized, you need to obtain an access token:
POST https://app.vssps.visualstudio.com/oauth2/token
application/x-www-form-urlencoded 表单具有以下正文,其中包含您创建应用程序时的应用程序机密、用户授权您的应用程序时刚刚收到的授权代码,以及安全回调.
The application/x-www-form-urlencoded form has the following body with the application secret when you created the application, the authorization code you just received when the user authorized your app, and the secure callback.
public string GenerateRequestPostData(string appSecret, string authCode, string callbackUrl)
{
return String.Format("client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion={0}&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion={1}&redirect_uri={2}",
HttpUtility.UrlEncode(appSecret),
HttpUtility.UrlEncode(authCode),
callbackUrl
);
}
响应将在 JSON 响应中包含访问令牌.
The response will contain the access token in the JSON response.
{
"access_token": { access token for the user },
"token_type": { type of token },
"expires_in": { time in seconds that the token remains valid },
"refresh_token": { refresh token to use to acquire a new access token }
}
请注意,令牌不是永久性的,可能需要刷新.
Note that the token isn't permanent and may need to be refreshed.
最后,现在您有了一个用户访问令牌,您可以将它包含在您向服务器发出的请求中的 Authorization 标头中.
Lastly, now that you have a user-access token, you can include it in the Authorization header in your requests to the server.
GET https://dev.azure.com/myaccount/myproject/_apis/build-release/builds?api-version=3.0
Authorization: Bearer {access_token}
例如:
httpClient.DefaultRequestHeaders.Authorization =
new AuthenticationHeaderValue("Bearer", "{access_token}");
如果您没有使用专用应用程序,而只想使用您控制的凭据查询 API -- 使用个人访问令牌,因为它更容易:
If you're not using a dedicated application and you just want to query the API with credentials you control -- use a Personal Access Token, as it's a lot easier:
httpClient.DefaultRequestHeaders.Authorization =
new AuthenticationHeaderValue("Basic {base-64-encoded-string of username:PAT}");
这篇关于使用 oAuth 访问 Azure DevOps REST API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
