0

I am able to list existing PATs when I use the GET verb.

I get a 200 OK response when I create a PAT using the POST verb.

The payload shows:

{"patToken":null,"patTokenError":"userIdRequired"}

This error is listed in the documentation but does not explain how to resolve it.

var clientBearer = new RestClient(@"https://login.microsoftonline.com");
var requestBearer = new RestRequest($"{tenantID}/oauth2/v2.0/token");

requestBearer.AddHeader("Content-Type", "application/x-www-form-urlencoded");
requestBearer.AddParameter("client_id", appRegistration.appId);
requestBearer.AddParameter("client_secret", appRegistrationSecret);
requestBearer.AddParameter("scope", "499b84ac-1321-427f-aa17-267ca6975798/.default");
requestBearer.AddParameter("username", username);
requestBearer.AddParameter("password", password);
requestBearer.AddParameter("grant_type", "password");
            
var responseBearer = clientBearer.ExecutePostAsync(requestBearer).Result;
var azureBearerToken = JsonConvert.DeserializeObject<AzureBearerToken>(responseBearer.Content);
var devopsBearerToken = azureBearerToken.token_type + " " + azureBearerToken.access_token;

Password Authentication was selected as the only viable non-interactive authentication method. This user is replacing a ServicePrincipal/ManagedIdentity because Microsoft does not support those models for Devops REST API and not all Devops REST API functionality is available in the Azure CLI.

https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/authentication-guidance?view=azure-devops&viewFallbackFrom=azure-devops%2F%2F

I now have a valid bearer Token

var devopsClient = new RestClient(@"https://vssps.dev.azure.com");
var patRequest = new RestRequest($"{devopsOrganization}/_apis/tokens/pats?api-version=7.1-preview.1");
patRequest.AddHeader("Authorization", devopsBearerToken);
patRequest.AddHeader("Content-Type", "application/json");
var patListResponse = devopsClient.ExecuteGetAsync(patRequest).Result;

This response looks great and I know that the bearer token is working. As this is a newly created AD user created through the Azure CLI I am expecting an empty array of PAT which I do receive in the response.

So far, So good

//create a token
var body = new
{
    displayName = "targetName",
    scope = "app_token",
    validTo = validTo,
    allOrgs = true
};
patRequest.AddJsonBody(body);
var patCreateResponse = devopsClient.ExecutePostAsync(patRequest).Result;

This final response is the problem and it contains the

patTokenError : userIdRequired

Shane
  • 129
  • 1
  • 8

1 Answers1

1

From the error UserIdRequired, it seems UserId is not provided from the access token or the user is not allowed .See access-azure-devops-rest-api-with-oauth.

If that is the issue Verify that Third-party application access via OAuth hasn't been disabled by your organization's admin at https://dev.azure.com/{your-org-name}/_settings/organizationPolicy.

As another work around try to keep UserId in the Post request body while creating PAT something like this SO ref

I dint check it myself,but please check , in the azure AD registration, if proper scopes are provided for the application and to access REST API and granted consent.User gets access token for user ,but due to lack of proper permissions to access Azure devops may lead to user not being able to access devops through rest api.

  • Please note that it doesn’t support to create a PAT token with a service account in Azure DevOps Service.

According to Token Lifecycle Management REST API for Azure DevOps Services - Azure DevOps Services REST API | Microsoft Docs

The scope for the token should be 499b84ac-1321-427f-aa17-267ca6975798/.default which provides access to Azure DevOps Services REST API . Once you have the token, use it as a Bearer token in Authorization header of your request.

It looks like you have provided scope correctly , also make sure it is granted admin consent. Also make sure to provide profile User.Read scopes in azure ad , to check logged in users profile as this API is only available to users that are part of an Azure AD tenant with an active Azure subscription.

Also for safe side in other cases of PatToken in error, it is recommended to revoke the PAT.

Referred from Use personal access tokens

NOTE: enter image description here

References:

  1. Authorize access to REST APIs with OAuth 2
kavyaS
  • 8,026
  • 1
  • 7
  • 19
  • Thank you for the effort but this did not resolve the issue. All of the required API permissions were set and granted admin consent. Additionally when you receive the access token it lists only one scope even when you add others. I also tried the workaround of adding AuthorizationID to the post body and that did not help either. I think I may have found a way to accomplish my goals without a PAT so I will keep going in that direction. – Shane May 31 '22 at 06:01