I am trying to get workitems from azure devops by using rest api and iam getting this 500Internal Server Error
I tried to reproduce the same in my environment and got the results successfully like below:
To access Azure DevOps work items, you can try generating the PAT token:
In Azure DevOps -> Go to User Settings -> Click on Personal access token -> New Token
Copy the PAT Token and in the Postman, Click on Authorization Tab like below:
Leave the Username as Empty and for password paste the PAT Token
I am able to access the Work item successfully:
GET
https://dev.azure.com/rukadmin/testruk/_workitems/edit/333/
If you want to get all the Work items in your project, you can make use of below query:
POST https://dev.azure.com/Organization/Project/_apis/wit/wiql?api-version=5.1
{
"query": "Select [System.Id], [System.Title], [System.State] From WorkItems Where [System.WorkItemType] = 'Task'"
}
If you are making use of Azure AD issued Token, then try the below:
I created an Azure AD Application and consented API permissions:
I generated the token by using below parameters:
GET
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:client_id
grant_type:authorization_code
code:code
redirect_uri:redirect_uri
code_verifier:S256
scope:499b84ac-1321-427f-aa17-267ca6975798/user_impersonation
client_secret:client_secret
I am able to access the Azure DevOps Work Item successfully like below:
Related
System.AccessToken is can be used as a means of authenticating requests to the Azure DevOps REST APIs from within a pipeline
https://learn.microsoft.com/fr-fr/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml
In the header of this Access Token, the kid attribute is missing.
{
"typ": "JWT",
"alg": "RS256",
"x5t": "oOvcz5M_7p-HjIKlFXz93u_V0Zo"
}
Is there anyway to have in the Azure DevOps Access Token the kid field ?
To get kid field in Azure DevOps access token, you can generate OAuth token using Azure AD to call DevOps REST API.
I tried to reproduce the same in my environment via Postman and got below results:
I registered one Azure AD application and added Azure DevOps permissions like below:
Make sure to grant admin consent to the permissions like below:
Now, I generated access token using client credentials flow via Postman with below parameters:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id: <appID>
grant_type:client_credentials
scope: https://app.vssps.visualstudio.com/.default
client_secret: <secret>
Response:
When I decoded the above access token in jwt.ms, I got kid field successfully like below:
I have a small problem. I'm trying to get the tanant id. I tried to use code below but can only get project id.
import * as SDK from "azure-devops-extension-sdk";
import { CommonServiceIds, IProjectPageService } from "azure-devops-extension-api";
const projectService = await SDK.getService<IProjectPageService>(CommonServiceIds.ProjectPageService);
const project = await projectService.getProject();
Any ideas ?
You can find tenant ID in Domain property of below DevOps API call response regarding Identities:
GET https://vssps.dev.azure.com/{organization}/_apis/identities?searchFilter=General&filterValue=<Azure AD username>&queryMembership=None&api-version=7.0
I tried to reproduce the same in my environment via Postman and got below results
To create new Personal access token (PAT), you can find below steps in your DevOps portal:
I generated one PAT token with full access for my DevOps organization like below:
When I ran below query including PAT token in Postman, I got tenant ID in response successfully like below:
GET vssps.dev.azure.com/{organization}/_apis/identities?searchFilter=General&filterValue=<Azure AD user UPN>&queryMembership=None&api-version=7.0
Response:
To confirm that, I checked the same in Azure DevOps portal and got same tenant ID like this:
Reference: IdentitySelf interface | Microsoft
I want to add a validation step in an Azure Devops pipeline in which I wanna check the identity of the user who created the pull request. I wanna check the list of subscriptions to which this user is attached , is there an API to get this information ?
I tried to reproduce the same in my environment and got the results successfully like below:
I created an Azure AD Application and consented API permissions:
I generated code parameter using the below endpoint:
GET
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=redirect_uri
&response_mode=query
&scope=https://management.azure.com/user_impersonation
&state=12345
A sign-in screen will appear like below. After signing in the code value will be generated:
To generate the token, I used parameters like below:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
grant_type:authorization_code
client_id:Client_ID
client_secret:Client_Secret
scope:https://management.azure.com/user_impersonation
redirect_uri:redirect_uri
code:code
To get the list of subscriptions the user belongs to, try the below query:
GET https://management.azure.com/subscriptions?api-version=2020-01-01
I register a new app to my Azure tenant and then use the Subscription REST API below to get my subscription id. But, it returns an empty value.
Is this a bug of the REST API, or the app is missing some required configurations?
https://learn.microsoft.com/en-us/rest/api/resources/subscriptions/list?tabs=HTTP
I tried to reproduce the same in my environment and got below results:
I registered one Azure AD application and granted API permission like below:
I generated the access token via Postman using below parameters:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
grant_type:client_credentials
client_id:<appID>
client_secret:<secret>
scope: https://management.azure.com/.default
Response:
When I used the above token to get subscriptions, I got same response as you like below:
GET https://management.azure.com/subscriptions?api-version=2020-01-01
Authorization: Bearer <token>
Response:
To get the desired results, make sure to assign required role like Reader to the service principal under your subscription like below:
Go to Azure Portal -> Subscriptions -> Your Subscription -> Access control (IAM) -> Add role assignment
Now I generated token again and got the subscription details like ID successfully with below API call:
GET https://management.azure.com/subscriptions?api-version=2020-01-01
Authorization: Bearer <token>
Response:
If you want to list all subscriptions, then assign Reader role to your service principal under management group level instead of specific subscription.
I want create APIM subscriptions through rest api, And was able to do it successfully by following this Microsoft doc, https://learn.microsoft.com/en-us/rest/api/apimanagement/current-ga/subscription.
And for Authentication I am generating a bearer token using ROPC grant type(My UserName & Password). Everything works fine with this flow.
But i dont want to configure my username & password in a application to get a bearer token, instead i followed Client-Credentials grant type(get token by client id & secret), i am able to generate token, but when i use that token to create subscription in APIM, i am getting a exception
The client '0--e' with object id '0--e' does not have authorization to perform action 'Microsoft.ApiManagement/service/subscriptions/write'
Is it possible to add a AAD application inside APIM AccessControl(IAM) to grant permission.
Or is this any other way to do this? or ROPC is the only way?
Can someone please help.
Yes, you can grant permission to AAD application (service principal) in APIM Access Control (IAM) by assigning it API Management Service Contributor role.
I tried to reproduce the same in my environment and got the below results:
I have generated one access token using Client-Credentials grant type like below:
When I used the above token to create APIM subscription with below query, I got the same error:
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ApiManagement/service/apimService1/subscriptions/testsub?api-version=2021-12-01
{
"properties": {
"ownerId": "/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ApiManagement/service/servicename/users/xxxxxxxxxxx",
"scope": "/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ApiManagement/service/servicename/products/xxxxxxxxxxx",
"displayName": "testsub"
}
}
Response:
To resolve the error, you need to grant API Management Service Contributor role for that application like below:
Go to Azure Portal -> APIM Services -> Your APIM -> Access control (IAM) -> Add role assignment
After granting the above role, I generated the access token again and ran the same query as below:
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ApiManagement/service/apimService1/subscriptions/testsub?api-version=2021-12-01
Response:
When I checked the Portal, APIM subscription got created successfully like below:
Reference:
How to use Role-Based Access Control in Azure API Management | Microsoft Docs