0

I'm trying to implement the OAuth 2.0 authentication (Bearer JWT token) from an Electron application in order to access Azure DevOps APIs (repos, work items, test plans).

The Azure DevOps organization is AAD-backed so I'm trying to access the Azure DevOps API using the access token given by Azure AD /token endpoint.

I'm using the Authorization code flow with PKCE to obtain the token.

However, when accessing the Azure DevOps API, I'm constantly seeing error messages regarding the wrong scope.

The scope is invalid

With curl calls, I see the following:

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://spsprodcus2.vssps.visualstudio.com/_signin?realm=dev.azure.com&amp;reply_to=https%3A%2F%2Fdev.azure.com%2FXXXXXXX%2FXXXXX%2F_apis%2Fwit%2Fworkitems%3Fids%3D11016%252C54321%26api-version%3D6.0&amp;redirect=1&amp;hid=1b2cef85-XXXX-XXXX-XXXX-8b6420bc5933&amp;context=eyJodCI6XXXXXXXXXXXXLCJjcyI6IiJ90#ctx=eyJTaWduSW5XXXXXXW5lLmNvbSJdfQ2">here</a>.</h2>
</body></html>

Of course, my AAD-registered application has Azure DevOps API permissions added:

enter image description here

I have tried another option - obtaining the token from Azure DevOps-backed app registration created here: https://aex.dev.azure.com/app/register but then the following error is shown:

The corresponding application isn't registered within the Azure AD tenant.

Nevertheless, I see that applications registered with the Azure DevOps portal aren't shown in the Azure AD applications list.

Thus I start thinking that either the Authorization code flow with PKCE for Azure DevOps should be different (in terms of API calls) or there's something wrong with the Azure AD application (e.g. scopes or API permissions).

Improve this question

1 Answer 1

Reset to default
0

I tried to reproduce the same in my environment and got the results successfully like below:

To access the Azure DevOps, make sure to create Azure AD application and add the permission consented like below:

enter image description here

Use the below endpoint to generate the code for the Authorization code+PKCE flow:

Make sure to use scope as 499b84ac-1321-427f-aa17-267ca6975798/user_impersonation

GET
https://login.microsoftonline.com/TenantId/oauth2/v2.0/authorize?  
response_type=code  
&client_id=ClientID
&scope=499b84ac-1321-427f-aa17-267ca6975798/user_impersonation
&redirect_uri=RedirectUro
&code_challenge=CodeChallenge
&code_challenge_method=S256

When you hit the above endpoint, the code will be generated like below:

enter image description here

To generate the token, make use of below parameters:

GET
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:client_id
grant_type:authorization_code
code:codegeneratedabove
redirect_uri:redirect_uri
code_verifier:S256
scope:499b84ac-1321-427f-aa17-267ca6975798/user_impersonation
client_secret:client_secret

Response:

![enter image description here](https://i.imgur.com/7YY15ap.png)

To access the Azure DevOps, make use of the above generated access token.

I am able to get the Azure DevOps account details successfully like below:

GET https://app.vssps.visualstudio.com/_apis/profile/profiles/me?api-version=6.0

enter image description here

Based on your requirement, you can fetch the details from Azure DevOps from the token.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.