I am not sure of the technologies you are using to achieve this but if your application is .Net/ .Net Core MVC application then Microsoft has provided sample code for the same: VSTS Sample Code C#
However, if your application is like mine, SPA (on angular) and .Net Core back end then there is no document clearly describing which parts should go where and how to achieve OAuth flow in such case. To answer that, i have achieved this in following way:
- Register your app on VSTS with call back url pointing to a call back route on your UI application.
- Add a Authorize function on your backend to make a call to VSTS authorize endpoint.
- Have a button/ link on UI where you would like to connect to VSTS API, have this pointed to Authorize function on backend.
Reason for making a call to vsts authorize endpoint from backend and not ui is that, vsts authorize returns a 302 redirect response and angular 4+ is still having a clear way to handle this. .Net MVC has redirectreult method which handles it very well.
- Once call to authorize is made, you will be presented with Accept/Deny screen showing all the scopes.
- Once user accepts it, he will redirected to callback url which is pointing to your UI.
- Get the auth code from the callback url in UI, extract code and pass it on to API.
- API will make a call to vsts token endpoint by passing Auth code and client secret.
- API will receive the Auth Token and Refresh Token.
- Use auth token to make VSTS api calls and persist the refresh token (There are many articles mentioning how to deal with tokens safely).
Thats it, OAuth flow can be achieved in Angular and .Net Core in above way.
Please note, this is something not documented by microsoft so there might be flaws in this approach which i am open to learn and rectify.
Please comment to get sample repo.