Actually I want to get the list of "Azure Pipeline" using JavaScript REST API. Please check below for the REST API url:
https://learn.microsoft.com/en-us/rest/api/azure/devops/pipelines/pipelines/list?view=azure-devops-rest-6.0
Now to get the response we need to pass the "access token". As of now I'm getting the access token using the "#azure/ms-rest-nodeauth" library, but as a response I'm not getting the proper response. Please check the below code.
const rp = require('request-promise');
module.exports = async function (context, req) {
let url = `https://dev.azure.com/{organization}/{project}/_apis/pipelines?api-version=6.0-preview.1`;
const header = {
Authorization: `Bearer ${token}` // I got the "token" using the "**#azure/ms-rest-nodeauth**" library
};
const result = await rp({
url: url,
json: true,
headers: header,
mode: 'cors',
cache: 'no-cache',
method: 'GET'
});
context.res = {
body: result
};
}
After using the above code I'm not getting the proper response, getting the response as HTML.
So can anyone please tell me that how do I get the proper access token for DevOps services REST APIs call or How do I get the list of Azure devpos pipeline using JavaScript or Node Js ???
There are several ways to get the token. Not sure how to get the access token via #azure/ms-rest-nodeauth
, to get the access token via AAD auth to call Azure DevOps REST API, make sure you are using a user-involved flow e.g. auth code flow, device code flow, etc, as the client credential flow(use service principal or MSI to auth) will not work with Azure DevOps REST API.
For example, you could use the device-code flow.
import * as msRestNodeAuth from "#azure/ms-rest-nodeauth";
msRestNodeAuth.interactiveLoginWithAuthResponse().then((authres) => {
console.dir(authres, { depth: null })
}).catch((err) => {
console.log(err);
});
You could also use auth code flow to get the token via ADAL for Node.js.
var AuthenticationContext = require('adal-node').AuthenticationContext;
var clientId = 'yourClientIdHere';
var clientSecret = 'yourAADIssuedClientSecretHere'
var authorityHostUrl = 'https://login.windows.net';
var tenant = 'myTenant';
var authorityUrl = authorityHostUrl + '/' + tenant;
var redirectUri = 'http://localhost:3000/getAToken';
var resource = '499b84ac-1321-427f-aa17-267ca6975798';
var templateAuthzUrl = 'https://login.windows.net/' +
tenant +
'/oauth2/authorize?response_type=code&client_id=' +
clientId +
'&redirect_uri=' +
redirectUri +
'&state=<state>&resource=' +
resource;
function createAuthorizationUrl(state) {
return templateAuthzUrl.replace('<state>', state);
}
// Clients get redirected here in order to create an OAuth authorize url and redirect them to AAD.
// There they will authenticate and give their consent to allow this app access to
// some resource they own.
app.get('/auth', function(req, res) {
crypto.randomBytes(48, function(ex, buf) {
var token = buf.toString('base64').replace(/\//g,'_').replace(/\+/g,'-');
res.cookie('authstate', token);
var authorizationUrl = createAuthorizationUrl(token);
res.redirect(authorizationUrl);
});
});
// After consent is granted AAD redirects here. The ADAL library is invoked via the
// AuthenticationContext and retrieves an access token that can be used to access the
// user owned resource.
app.get('/getAToken', function(req, res) {
if (req.cookies.authstate !== req.query.state) {
res.send('error: state does not match');
}
var authenticationContext = new AuthenticationContext(authorityUrl);
authenticationContext.acquireTokenWithAuthorizationCode(
req.query.code,
redirectUri,
resource,
clientId,
clientSecret,
function(err, response) {
var errorMessage = '';
if (err) {
errorMessage = 'error: ' + err.message + '\n';
}
errorMessage += 'response: ' + JSON.stringify(response);
res.send(errorMessage);
}
);
});
You could also use the MSAL for node.js auth code flow to get the token, it is an update for ADAL, remember to change the scope to devops "scopes": ["499b84ac-1321-427f-aa17-267ca6975798/.default"].
Related
I want to get Azure DevOps PAT list using REST API call. I'm using Azure Function App (JavaScript/NodeJS).
I want to get "PAT" list using the REST API. So I'm using the PAT List REST API, but I'm not able to get the list. I'm using the MSAL library for For Authentication. Using this MSAL library I'm able to get the authentication token although I'm unable to get "PAT List".
How we get "PAT List" ?
For more clarity I'm adding below our code. If I'm making any mistakes then anyone can rectify me.
const config = require('../config');
const rp = require('request-promise');
const msal = require('#azure/msal-node');
module.exports = async function (context, req) {
const clientId = 'config.DEFAULT_CLIENT_ID';
const clientSecret = 'config.DEFAULT_CLIENT_SECRET';
const tenantId = 'config.DEFAULT_TENANT_ID';
let authorityHostUrl = 'https://login.windows.net';
let authorityUrl = authorityHostUrl + '/' + tenantId;
const configuration = {
auth: {
clientId: clientId,
authority: authorityUrl,
clientSecret: clientSecret
}
};
// Create msal application object
const cca = new msal.ConfidentialClientApplication(configuration);
// With client credentials flows permissions need to be granted in the portal by a tenant administrator.
// The scope is always in the format "<resource>/.default"
const clientCredentialRequest = {
scopes: ["499b84ac-1321-427f-aa17-267ca6975798/.default"], // replace with your resource
};
const credentials = await cca.acquireTokenByClientCredential(clientCredentialRequest);
const tokenType = credentials.tokenType;
const token = credentials.accessToken;
const apiToken = `${tokenType} ${token}`; // 'Bearer <token>'
let url = `https://vssps.dev.azure.com/{organization}/_apis/tokens/pats?api-version=6.1-preview.1`;
const header = {
Authorization: `${apiToken}`
};
const result = await rp({
url: url,
json: true,
headers: header,
mode: 'cors',
cache: 'no-cache',
method: 'GET'
});
context.res = {
body: result
};
}
Output: After run the above code I'm getting the below result as HTML.
I'm not getting the proper response. Getting the above response as HTML view.
I want to get all Azure DevOps PAT list in my Azure function app. I am using Node.Js in Azure function app.
To get the Azure DevOps PAT list, I'm using this REST API.
So for Authentication I'm using MSAL library. So after getting the auth token, when I'm using it to call the Azure DevOps PAT list REST API then I'm not getting the PAT list. See below for my function app code.
'use strict';
const config = require('../config');
const rp = require('request-promise');
const msal = require('#azure/msal-node');
module.exports = async function (context, req) {
const clientId = 'config.DEFAULT_CLIENT_ID';
const clientSecret = 'config.DEFAULT_CLIENT_SECRET';
const tenantId = 'config.DEFAULT_TENANT_ID';
let authorityHostUrl = 'https://login.windows.net';
let authorityUrl = authorityHostUrl + '/' + tenantId;
const configuration = {
auth: {
clientId: clientId,
authority: authorityUrl,
clientSecret: clientSecret
}
};
// Create msal application object
const cca = new msal.ConfidentialClientApplication(configuration);
// With client credentials flows permissions need to be granted in the portal by a tenant administrator.
// The scope is always in the format "<resource>/.default"
const clientCredentialRequest = {
scopes: ["499b84ac-1321-427f-aa17-267ca6975798/.default"], // replace with your resource
};
const credentials = await cca.acquireTokenByClientCredential(clientCredentialRequest);
const tokenType = credentials.tokenType;
const token = credentials.accessToken;
const apiToken = `${tokenType} ${token}`; // 'Bearer <token>'
let url = `https://vssps.dev.azure.com/{organization}/_apis/tokens/pats?api-version=6.1-preview.1`;
const header = {
Authorization: `${apiToken}`
};
const result = await rp({
url: url,
json: true,
headers: header,
mode: 'cors',
cache: 'no-cache',
method: 'GET'
});
context.res = {
body: result
};
}
I am not getting the list of PAT but getting the below output:
Anonymous Sign out
Microsoft Internet Explorer's Enhanced Security Configuration is currently enabled on your environment. This enhanced level of security prevents our web integration experiences from displaying or performing correctly. To continue with your operation please disable this configuration or contact your administrator.
Why am I not getting the PAT list?
Please show the reference status of your request, from the description, it seems you are using PAT.
PAT is basic auth. But in your code you mentioned // 'Bearer <token>'
I am trying to setup a restricted firebase function that can be called from another client application that runs outside GCP. So far I failed to setup the client application authentication to get passed the restricted access on the firebase funciton.
Here is what I did and tried:
I created and deployed a simple helloWorld firebase function and verified that the function could be called from the client application with the default public access.
I removed allUsers from the helloWorld permissions on GCP and verified that the function could no longer be called from the client application (I get "403 Forbidden" in the response).
I created a new service account and added it as a member of "Cloud functions invoker" in the permissions panel of helloWorld on the GCP.
I created a new private json key file for this service account.
Then I followed the documentation to setup the client application authentication (see code below).
const fetch = require('node-fetch');
const jwt = require('jsonwebtoken');
async function main(){
// get unix timestamp in seconds
const current_time = Math.floor(Date.now() / 1000)
// get the service account key file
const service_account = require('./service_account.json');
// create the jwt body
const token_body = {
"iss": service_account.client_email,
"scope": "https://www.googleapis.com/auth/cloud-platform",
"aud": "https://oauth2.googleapis.com/token",
"exp": current_time + 3600,
"iat": current_time
}
// sign the token with the private key
const signed_token = jwt.sign(
token_body, service_account.private_key, { algorithm: 'RS256' }
)
// get an access token from the authentication server
const access_token = await fetch(
'https://oauth2.googleapis.com/token',
{
method: 'POST',
body: ''
+ 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer'
+ '&'
+ 'assertion=' + signed_token,
headers: { 'Content-Type': 'application/x-www-form-urlencoded' }
}
).then(res => res.json()).then(body => body.access_token)
// call the firebase function with the Authorization header
return fetch(
url_hello_world, { headers: { 'Authorization': 'Bearer ' + access_token } }
).then(res => res.text()).then(console.log)
}
main().catch(console.error)
Unfortunately when I run the previous code I get "401 Unauthorize" with the following header:
www-authenticate: Bearer error="invalid_token" error_description="The access token could not be verified"
After that I tried another approach with the following tutorial (see code below).
const fetch = require('node-fetch');
const util = require('util');
const exec = util.promisify(require("child_process").exec)
async function main(){
// activate a service account with a key file
await exec('gcloud auth activate-service-account --key-file=' + key_file)
// retrieve an access token for the activated service account
const {stdout, stderr} = await exec("gcloud auth print-identity-token")
// get the access token from stdout and remove the new line character at the
// end of the string
const access_token = stdout.slice(0,-1)
// call the firebase function with the Authorization header
const response = await fetch(
url_hello_world,
{ headers: { 'Authorization': 'Bearer ' + access_token } }
)
// print the response
console.log(await response.text())
}
main().catch(console.error)
When I run this code, I get the expected response "Hello World" so the previous code can call the firebase function with the service account permission.
However, the client application that I target cannot rely on the gcloud cli and I am stuck to the point where I tried to understand what does not work in the first version above and what I need to change to make it works.
As you're using a Service Account JSON file, the following code can be helpful.
package.json
{
"name": "sample-call",
"version": "0.0.1",
"dependencies": {
"googleapis": "^62.0.0",
"node-fetch": "^2.6.1"
}
}
index.js
var { google } = require('googleapis')
const fetch = require('node-fetch')
const fs = require('fs');
let privatekey = JSON.parse(fs.readFileSync('key.json'));
let url_hello_world = 'CLOUD_FUNCTION_URL';
let jwtClient = new google.auth.JWT(
privatekey.client_email,
null,
privatekey.private_key,
url_hello_world
)
async function main(){
jwtClient.authorize( async function(err, _token) {
if (err) {
console.log(err)
return err
} else {
const response = await fetch(
url_hello_world,
{
headers: { 'Authorization': 'Bearer ' + _token.id_token }
}
)
console.log(await response.text())
}
})
}
main().catch(console.error)
I have a problem with my access_token which I get with the serveracceskey. Here is my code in NodeJS:
const admin = require('firebase-admin');
var request = require("request");
const serviceAccount = require('./serverAccountKey.json');
const credential = admin.credential.cert(serviceAccount);
credential.getAccessToken().then((accessTokenInfo) => {
const accessToken = accessTokenInfo.access_token;
const expirationTime = accessTokenInfo.expires_in;
console.log("accessToken " + accessToken );
console.log("expirationTime " +expirationTime);
var s = "Bearer " + accessToken;
request({
headers:{
'Authorization': s
},
uri:"https://firebasedynamiclinks.googleapis.com/v1/SHORTLINK/linkStats?durationDays=7",
method: "GET",
}, function(error, response, body) {
console.log(body);
});
});
and the result is like below:
{
"error": {
"code": 403,
"message": "Request had insufficient authentication scopes.",
"status": "PERMISSION_DENIED"
}
}
What am I doing wrong ? I test the link in Postman too. Something is wrong, I read all the firebase Rest API Doc.
Admin SDK creates tokens with a specific set of scopes: https://github.com/firebase/firebase-admin-node/blob/master/src/auth/credential.ts#L272
Clearly, Dynamic Links API requires additional OAuth2 scopes in the token. You're better off using some OAuth2 library for this use case. If you were using Java or Python, Google Cloud provides libraries that handles this for you.
I solve the problem with a helpful GitHub user. If anyone get the same problem,press this link it will be helped. https://github.com/firebase/firebase-admin-node/issues/111
I'm new to Oauth and server-side stuff, so please be patient with me.
I have a web application that authenticates users with dropbox-js. Everything is pretty straightforward. The application uses dropbox-js' client.authenticate function, and if the user is authenticated, the application gets automatically redirected to the initial page, where it executes the authenticate callback. From that moment on, I know I'm happily authenticated with Dropbox, and I can do stuff with the app's Dropbox directory.
I got a public node.js server that currently does nothing. What I would like to do is:
As soon as the client is authenticated, call my server and tell it that the user is authenticated
If the user doesn't exist on the server database, create an entry for it him/her the user database (I don't need detailed instructions to do this). If it exists, send back the user's associated data.
How can I do that in a secure way? I mean, how can the server tell that the user is a valid Dropbox user? Should the server authenticate to Dropbox on its side with the user credentials? What is the workflow in these cases?
At the end of the authentication process, you have an access token, which is what's used to make calls to the API. If both the client and the server need to make calls to the API, then both will need to have the access token.
If you're doing the authentication client-side today, you could pull the access token out somehow (not sure if/how it's exposed from the library, but it's in there somewhere and also storaged in local storage) and pass it to the server. The server can then use it to call /account/info and get the Dropbox user ID of the authenticated user.
An alternative is to do it the other way around. Authenticate the user with the "code flow" (rather than "token flow") and get the access token on the server in the first place. Then you could pass it down to the client and pass it as an option in the Dropbox.Client constructor. I think that dropbox-js supports this itself, but it's also not hard to do yourself. Here's some raw Express code that logs in a user and displays his or her name:
var crypto = require('crypto'),
express = require('express'),
request = require('request'),
url = require('url');
var app = express();
app.use(express.cookieParser());
// insert your app key and secret here
var appkey = '<your app key>';
var appsecret = '<your app secret>';
function generateCSRFToken() {
return crypto.randomBytes(18).toString('base64')
.replace(/\//g, '-').replace(/\+/g, '_');
}
function generateRedirectURI(req) {
return url.format({
protocol: req.protocol,
host: req.headers.host,
pathname: app.path() + '/callback'
});
}
app.get('/', function (req, res) {
var csrfToken = generateCSRFToken();
res.cookie('csrf', csrfToken);
res.redirect(url.format({
protocol: 'https',
hostname: 'www.dropbox.com',
pathname: '1/oauth2/authorize',
query: {
client_id: appkey,
response_type: 'code',
state: csrfToken,
redirect_uri: generateRedirectURI(req)
}
}));
});
app.get('/callback', function (req, res) {
if (req.query.error) {
return res.send('ERROR ' + req.query.error + ': ' + req.query.error_description);
}
// check CSRF token
if (req.query.state !== req.cookies.csrf) {
return res.status(401).send(
'CSRF token mismatch, possible cross-site request forgery attempt.'
);
} else {
// exchange access code for bearer token
request.post('https://api.dropbox.com/1/oauth2/token', {
form: {
code: req.query.code,
grant_type: 'authorization_code',
redirect_uri: generateRedirectURI(req)
},
auth: {
user: appkey,
pass: appsecret
}
}, function (error, response, body) {
var data = JSON.parse(body);
if (data.error) {
return res.send('ERROR: ' + data.error);
}
// extract bearer token
var token = data.access_token;
// use the bearer token to make API calls
request.get('https://api.dropbox.com/1/account/info', {
headers: { Authorization: 'Bearer ' + token }
}, function (error, response, body) {
res.send('Logged in successfully as ' + JSON.parse(body).display_name + '.');
});
// write a file
// request.put('https://api-content.dropbox.com/1/files_put/auto/hello.txt', {
// body: 'Hello, World!',
// headers: { Authorization: 'Bearer ' + token }
// });
});
}
});
app.listen(8000);