0

I'm using the Azure REST API to trigger a pipeline from 2 different function apps. In order to do that I'm using an HttpClient and sending a POST request with a Basic token (username:password) in the Authorization header like the documentation says, with an empty user:

client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic",
Convert.ToBase64String(
    System.Text.ASCIIEncoding.ASCII.GetBytes(
        string.Format("{0}:{1}", "", token))));

From one of the function apps, using the same token/password works fine. However, from the second function app I get an error message:

{"$id":"1","innerException":null,"message":"TF400813: The user {some guid is shown here in the original message} is not authorized to access this resource.","typeName":"Microsoft.TeamFoundation.Framework.Server.UnauthorizedRequestException, Microsoft.TeamFoundation.Framework.Server","typeKey":"UnauthorizedRequestException","errorCode":0,"eventId":3000}

So even that I'm not sending a user, I'm getting an error about a user not being authorized. I checked and the guid is not a client id of an identity related to the function app. I can't even find that guid at all when searching for it in Azure portal.

What could have caused this error if no user is sent to begin with?

Improve this question
3
  • Try to isolate the issue. Test to trigger the pipeline via Rest api with postman. And check if you still have the unauthorized error. Commented Apr 24 at 7:39
  • I tried it locally and it did work Commented Apr 24 at 8:00
  • Then there is no permission issue with your token. It is related to your code or function app configuration. Commented Apr 24 at 21:47

1 Answer 1

Reset to default
0

Although the API allows you to specify an empty username, a Personal Access Token is created by a user. Think of it as a private key that represents a set of permissions associated with a specific user.

The user id that appears in the error can be located using the az cli:

az devops user show --user <guid or email address>

Regarding your error message, you either don't have the appropriate scopes defined in the PAT, or the user of the PAT doesn't have permissions to perform the operation you're attempting to do programmatically.

Improve this answer
Sign up to request clarification or add additional context in comments.

10 Comments

Then how does it work for the other function app? Both function apps used to trigger a pipeline in the same Azure organization
Who created the PAT? How are their permissions different between the projects?
Were you able to locate the user using the az cli? Have you confirmed that this user has the permissions on the pipeline you’re attempting to queue?
Sorry I didn't reply. No, the command didn't find anything. It's still a mystery as to where this user came from
If the GUID is all zeros 0000 -- the PAT is invalid. Otherwise, the user is the owner of the PAT. That's how PERSONAL Access Tokens work.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.