My team is looking at migrating from our on premise Team Foundation Server to Azure Dev Ops (In the cloud). We have a ASP.Net core 2.1 web app on our intranet that responds to a POST from a service hook when work items are updated, and then does some calculations and updates the work item using the C# SDK.
before we can migrate, I need to refactor that code so that it is internet facing, and I assumed a Azure web app service would provide us with what we need quickly, and with a solid authentication mechanism. My hope was that Azure Devops would allow us to authenticate with the app service using our federated AD identities, and got excited by seeing the (as of 1/4/2019 undocumented) Azure App Service service hook type!
That is not the case, as this service is only for deploying my web app to the app service. So I have to use the the generic Web Hook , which apparently only accepts basic auth...
Using the answers from this SO question I can get a working web app published that uses basic authentication using third party middleware (which all scream at me to not use them and to implement a real authentication solution). But I do not know how to do that and have it integrate with Azure Dev ops.
Neither the (Azure Devops specific) documentation on how to create a PR server with Node.JS, or using Azure functions mention anything about authentication (or SSL for that matter) and I am at a lost as to how to proceed next to ensure our web app is secure.
My question is, how have you created a secure web app that is able to integrate with TFS/Azure Devops service hooks?
