By following these steps, you can implement a scalable OAuth authentication process for your Python app to access Azure DevOps repositories in your client's accounts.
Nov 14, 12:09pm
I can't really redirect the user: it's an API. The user has no direct interface to the Python code
Nov 14, 12:11pm
If your Python app is an API and you can't redirect the user for interactive authentication, you can use the OAuth 2.0 Client Credentials Flow. This flow is suitable for server-to-server interactions where there is no user interaction. Here are the steps:
Register Your App in Azure AD:
Go to the Azure portal.
Navigate to "Azure Active Directory" > "App registrations" > "New registration".
Fill in the required details and register the app.
Configure API Permissions:
In the registered app, go to "API permissions".
Add permissions for Azure DevOps (e.g., user_impersonation).
Ensure you grant admin consent for the permissions.
Obtain Client ID and Secret:
In the registered app, note down the "Application (client) ID" and generate a new client secret.
Request an Access Token Using Client Credentials:
Use the requests library to obtain an access token:
By following these steps, you can authenticate your Python API to access Azure DevOps repositories using the OAuth 2.0 Client Credentials Flow, which is suitable for server-to-server interactions without user interaction.
Nov 14, 12:11pm
I feel like something is missing. How does the target Azure DevOps account (ie, the ones from my clients) will authorize my Python app to access the repo blobs ?
Nov 14, 12:12pm
To authorize your Python app to access the repositories in your clients' Azure DevOps accounts using the OAuth 2.0 Client Credentials Flow, you need to ensure that the app is granted the necessary permissions by the administrators of those Azure DevOps organizations. Here are the detailed steps to achieve this:
Register Your App in Azure AD:
Go to the Azure portal.
Navigate to "Azure Active Directory" > "App registrations" > "New registration".
Fill in the required details and register the app.
Configure API Permissions:
In the registered app, go to "API permissions".
Add permissions for Azure DevOps (e.g., user_impersonation).
Ensure you grant admin consent for the permissions.
Obtain Client ID and Secret:
In the registered app, note down the "Application (client) ID" and generate a new client secret.
Request Access from Client's Azure DevOps Admin:
The administrator of the client's Azure DevOps organization needs to grant your app the necessary permissions.
The admin can do this by navigating to the Azure DevOps organization settings and adding your app as a service connection or by granting permissions through the Azure AD portal.
Request an Access Token Using Client Credentials:
Use the requests library to obtain an access token:
The admin needs to navigate to the Azure DevOps organization settings.
Go to "Service connections" and add a new service connection for your app.
Alternatively, the admin can grant permissions through the Azure AD portal by navigating to "Enterprise applications" and finding your app. They can then grant the necessary permissions.
Ensure Proper Scopes and Roles:
The admin should ensure that your app has the appropriate scopes and roles to access the repositories and blobs.
By following these steps, you can ensure that your Python app is authorized to access the repositories in your clients' Azure DevOps accounts using the OAuth 2.0 Client Credentials Flow. The key is to have the client's Azure DevOps admin grant the necessary permissions to your app.
Nov 14, 12:12pm
Let's call "Service Connection" the Alternative 1
Let's call "Azure AD portal > Enterprise applications" the Alternative 2
Give me details about Alternative 1 ? What type of service connection?
Nov 14, 12:17pm
Certainly! Here are the detailed steps for setting up a service connection in Azure DevOps (Alternative 1) to authorize your Python app to access the repositories in your clients' Azure DevOps accounts:
Steps for Setting Up a Service Connection in Azure DevOps:
Navigate to Azure DevOps:
Go to the Azure DevOps portal (https://dev.azure.com/).
Sign in with the credentials of the client's Azure DevOps organization.
Access Project Settings:
Select the project where you want to set up the service connection.
Click on the gear icon (⚙) in the lower-left corner to open the project settings.
Go to Service Connections:
In the project settings, navigate to "Pipelines" > "Service connections".
Create a New Service Connection:
Click on the "New service connection" button.
Select "Azure Resource Manager" as the type of service connection. This type is suitable for accessing Azure resources, including Azure DevOps.
Configure the Service Connection:
Service Connection Name: Give a meaningful name to the service connection.
Scope Level: Choose the appropriate scope level (e.g., Project or Organization).
Authentication Method: Select "Service Principal (automatic)" or "Service Principal (manual)".
Service Principal (automatic): Azure DevOps will automatically create a service principal in Azure AD.
Service Principal (manual): You need to provide the service principal details manually.
Provide Service Principal Details (if manual):
Subscription: Select the Azure subscription.
Service Principal Client ID: Enter the client ID of your registered app in Azure AD.
Service Principal Key: Enter the client secret of your registered app.
Tenant ID: Enter the tenant ID of the client's Azure AD.
Grant Permissions:
Ensure that the service connection has the necessary permissions to access the repositories and blobs.
You may need to grant additional permissions through the Azure AD portal if required.
Save the Service Connection:
Click on "Save" to create the service connection.
Using the Service Connection in Your Python App:
Once the service connection is set up, you can use it in your Python app to authenticate and access the Azure DevOps APIs. Here's how you can obtain an access token using the service connection:
Obtain the Service Connection Details:
You can retrieve the service connection details programmatically using the Azure DevOps REST API or manually from the Azure DevOps portal.
Request an Access Token:
Use the service connection details to request an access token. Here's an example using the requests library:
By following these steps, you can set up a service connection in Azure DevOps to authorize your Python app to access the repositories in your clients' Azure DevOps accounts. This method ensures that the necessary permissions are granted and managed within the Azure DevOps portal.
Nov 14, 12:17pm
Before step 5, I'm prompted to give an Authentication Method between these choices:
Workload Identity federation (automatic) Workload Identity federation (manual) Service principal (automatic) Service principal (manual) Managed identity Publish Profile
Nov 14, 12:19pm
Given the choices for the authentication method, you should select "Service principal (automatic)" or "Service principal (manual)" for setting up the service connection in Azure DevOps. Here are the detailed steps for each option:
Option 1: Service Principal (Automatic)
Select "Service Principal (automatic)":
This option allows Azure DevOps to automatically create and manage a service principal in Azure AD.
Configure the Service Connection:
Service Connection Name: Give a meaningful name to the service connection.
Scope Level: Choose the appropriate scope level (e.g., Project or Organization).
Subscription: Select the Azure subscription associated with the client's Azure DevOps organization.
Grant Permissions:
Azure DevOps will automatically create a service principal and grant it the necessary permissions.
You may need to provide additional permissions through the Azure AD portal if required.
Save the Service Connection:
Click on "Save" to create the service connection.
Option 2: Service Principal (Manual)
Select "Service Principal (manual)":
This option requires you to provide the service principal details manually.
Configure the Service Connection:
Service Connection Name: Give a meaningful name to the service connection.
Scope Level: Choose the appropriate scope level (e.g., Project or Organization).
Subscription: Select the Azure subscription associated with the client's Azure DevOps organization.
Service Principal Client ID: Enter the client ID of your registered app in Azure AD.
Service Principal Key: Enter the client secret of your registered app.
Tenant ID: Enter the tenant ID of the client's Azure AD.
Grant Permissions:
Ensure that the service principal has the necessary permissions to access the repositories and blobs.
You may need to grant additional permissions through the Azure AD portal if required.
Save the Service Connection:
Click on "Save" to create the service connection.
Using the Service Connection in Your Python App:
Once the service connection is set up, you can use it in your Python app to authenticate and access the Azure DevOps APIs. Here's how you can obtain an access token using the service connection:
Obtain the Service Connection Details:
You can retrieve the service connection details programmatically using the Azure DevOps REST API or manually from the Azure DevOps portal.
Request an Access Token:
Use the service connection details to request an access token. Here's an example using the requests library:
By following these steps, you can set up a service connection in Azure DevOps to authorize your Python app to access the repositories in your clients' Azure DevOps accounts. This method ensures that the necessary permissions are granted and managed within the Azure DevOps portal.
Nov 14, 12:19pm
Now give me details about Alternative 2
Nov 14, 12:20pm
Certainly! Here are the detailed steps for setting up permissions using the Azure AD portal through Enterprise Applications (Alternative 2):
Steps for Setting Up Permissions via Azure AD Portal:
Register Your App in Azure AD:
Go to the Azure portal (https://portal.azure.com/).
Navigate to "Azure Active Directory" > "App registrations" > "New registration".
Fill in the required details and register the app.
Configure API Permissions:
In the registered app, go to "API permissions".
Click on "Add a permission".
Select "APIs my organization uses".
Search for "Azure DevOps" and select it.
Add the necessary permissions (e.g., user_impersonation).
Click on "Add permissions".
Grant Admin Consent:
After adding the permissions, click on "Grant admin consent for {tenant}" (you need to be an admin to do this).
Confirm the consent request.
Obtain Client ID and Secret:
In the registered app, note down the "Application (client) ID".
Go to "Certificates & secrets" and create a new client secret. Note down the client secret value.
Steps for Client's Azure DevOps Admin:
Navigate to Azure AD Portal:
Go to the Azure portal (https://portal.azure.com/).
Sign in with the credentials of the client's Azure AD tenant.
Access Enterprise Applications:
Navigate to "Azure Active Directory" > "Enterprise applications".
Find and Select Your App:
Search for your app using the name or application ID.
Select your app from the list.
Grant API Permissions:
Go to "API permissions".
Ensure that the necessary permissions (e.g., user_impersonation for Azure DevOps) are listed.
If not, add the required permissions and grant admin consent.
Assign Users or Groups (if needed):
Go to "Users and groups".
Assign the app to the appropriate users or groups within the client's organization.
Using the Access Token in Your Python App:
Once the permissions are granted, you can use the client credentials flow to obtain an access token and access Azure DevOps APIs.
Request an Access Token Using Client Credentials:
Use the requests library to obtain an access token:
By following these steps, you can set up the necessary permissions for your app using the Azure AD portal through Enterprise Applications. This method ensures that the client's Azure DevOps admin grants the required permissions, allowing your Python app to access the repositories in their Azure DevOps accounts.
Nov 14, 12:20pm
Azure Active Directory doesn't exist. Is it Microsoft Entra ID now ?
Nov 14, 12:24pm
Yes, you are correct. Microsoft has rebranded Azure Active Directory (Azure AD) to Microsoft Entra ID. The steps and functionalities remain largely the same, but the branding and some UI elements may have changed.
Here are the updated steps for setting up permissions using the Microsoft Entra ID portal through Enterprise Applications:
Steps for Setting Up Permissions via Microsoft Entra ID Portal:
Register Your App in Microsoft Entra ID:
Go to the Microsoft Entra admin center (https://entra.microsoft.com/).
Navigate to "App registrations" > "New registration".
Fill in the required details and register the app.
Configure API Permissions:
In the registered app, go to "API permissions".
Click on "Add a permission".
Select "APIs my organization uses".
Search for "Azure DevOps" and select it.
Add the necessary permissions (e.g., user_impersonation).
Click on "Add permissions".
Grant Admin Consent:
After adding the permissions, click on "Grant admin consent for {tenant}" (you need to be an admin to do this).
Confirm the consent request.
Obtain Client ID and Secret:
In the registered app, note down the "Application (client) ID".
Go to "Certificates & secrets" and create a new client secret. Note down the client secret value.
Steps for Client's Azure DevOps Admin:
Navigate to Microsoft Entra ID Portal:
Go to the Microsoft Entra admin center (https://entra.microsoft.com/).
Sign in with the credentials of the client's Microsoft Entra ID tenant.
Access Enterprise Applications:
Navigate to "Enterprise applications".
Find and Select Your App:
Search for your app using the name or application ID.
Select your app from the list.
Grant API Permissions:
Go to "API permissions".
Ensure that the necessary permissions (e.g., user_impersonation for Azure DevOps) are listed.
If not, add the required permissions and grant admin consent.
Assign Users or Groups (if needed):
Go to "Users and groups".
Assign the app to the appropriate users or groups within the client's organization.
Using the Access Token in Your Python App:
Once the permissions are granted, you can use the client credentials flow to obtain an access token and access Azure DevOps APIs.
Request an Access Token Using Client Credentials:
Use the requests library to obtain an access token:
By following these steps, you can set up the necessary permissions for your app using the Microsoft Entra ID portal through Enterprise Applications. This method ensures that the client's Azure DevOps admin grants the required permissions, allowing your Python app to access the repositories in their Azure DevOps accounts.
Nov 14, 12:24pm
Is "user_impersonation" the right permission knowing that there is no signed-in user in my backend app ?
Nov 14, 12:33pm
You are correct that user_impersonation is typically used for delegated permissions where a signed-in user is involved. For a backend application that runs without user interaction, you should use application permissions instead of delegated permissions.
For Azure DevOps, the appropriate application permission is usually vso.code_full or similar, depending on the specific actions your app needs to perform.
Here are the updated steps to configure application permissions:
Steps for Setting Up Application Permissions via Microsoft Entra ID Portal:
Register Your App in Microsoft Entra ID:
Go to the Microsoft Entra admin center (https://entra.microsoft.com/).
Navigate to "App registrations" > "New registration".
Fill in the required details and register the app.
Configure API Permissions:
In the registered app, go to "API permissions".
Click on "Add a permission".
Select "APIs my organization uses".
Search for "Azure DevOps" and select it.
Add the necessary application permissions (e.g., vso.code_full for full access to code).
Click on "Add permissions".
Grant Admin Consent:
After adding the permissions, click on "Grant admin consent for {tenant}" (you need to be an admin to do this).
Confirm the consent request.
Obtain Client ID and Secret:
In the registered app, note down the "Application (client) ID".
Go to "Certificates & secrets" and create a new client secret. Note down the client secret value.
Steps for Client's Azure DevOps Admin:
Navigate to Microsoft Entra ID Portal:
Go to the Microsoft Entra admin center (https://entra.microsoft.com/).
Sign in with the credentials of the client's Microsoft Entra ID tenant.
Access Enterprise Applications:
Navigate to "Enterprise applications".
Find and Select Your App:
Search for your app using the name or application ID.
Select your app from the list.
Grant API Permissions:
Go to "API permissions".
Ensure that the necessary application permissions (e.g., vso.code_full for Azure DevOps) are listed.
If not, add the required permissions and grant admin consent.
Assign Users or Groups (if needed):
Go to "Users and groups".
Assign the app to the appropriate users or groups within the client's organization.
Using the Access Token in Your Python App:
Once the application permissions are granted, you can use the client credentials flow to obtain an access token and access Azure DevOps APIs.
Request an Access Token Using Client Credentials:
Use the requests library to obtain an access token:
By following these steps, you can set up the necessary application permissions for your app using the Microsoft Entra ID portal through Enterprise Applications. This method ensures that the client's Azure DevOps admin grants the required permissions, allowing your Python app to access the repositories in their Azure DevOps accounts without user interaction.
Nov 14, 12:33pm
Is this Ok for my app ?
API / Permissions name | Type | Description |Admin consent required vso.code | Delegated | Code (read) | No
Nov 14, 12:51pm
The vso.code permission with the type "Delegated" is intended for scenarios where a user is involved and the app acts on behalf of the user. Since your app is a backend service that runs without user interaction, you should use application permissions instead of delegated permissions.
For your use case, you should look for application permissions that provide the necessary access to Azure DevOps resources. Here are the steps to configure the appropriate application permissions:
Steps for Setting Up Application Permissions via Microsoft Entra ID Portal:
Register Your App in Microsoft Entra ID:
Go to the Microsoft Entra admin center (https://entra.microsoft.com/).
Navigate to "App registrations" > "New registration".
Fill in the required details and register the app.
Configure API Permissions:
In the registered app, go to "API permissions".
Click on "Add a permission".
Select "APIs my organization uses".
Search for "Azure DevOps" and select it.
Add the necessary application permissions. For accessing code, you might need permissions like vso.code_full or similar.
Click on "Add permissions".
Grant Admin Consent:
After adding the permissions, click on "Grant admin consent for {tenant}" (you need to be an admin to do this).
Confirm the consent request.
Obtain Client ID and Secret:
In the registered app, note down the "Application (client) ID".
Go to "Certificates & secrets" and create a new client secret. Note down the client secret value.
Steps for Client's Azure DevOps Admin:
Navigate to Microsoft Entra ID Portal:
Go to the Microsoft Entra admin center (https://entra.microsoft.com/).
Sign in with the credentials of the client's Microsoft Entra ID tenant.
Access Enterprise Applications:
Navigate to "Enterprise applications".
Find and Select Your App:
Search for your app using the name or application ID.
Select your app from the list.
Grant API Permissions:
Go to "API permissions".
Ensure that the necessary application permissions (e.g., vso.code_full for Azure DevOps) are listed.
If not, add the required permissions and grant admin consent.
Assign Users or Groups (if needed):
Go to "Users and groups".
Assign the app to the appropriate users or groups within the client's organization.
Using the Access Token in Your Python App:
Once the application permissions are granted, you can use the client credentials flow to obtain an access token and access Azure DevOps APIs.
Request an Access Token Using Client Credentials:
Use the requests library to obtain an access token:
By following these steps, you can set up the necessary application permissions for your app using the Microsoft Entra ID portal through Enterprise Applications. This method ensures that the client's Azure DevOps admin grants the required permissions, allowing your Python app to access the repositories in their Azure DevOps accounts without user interaction.
Nov 14, 12:51pm
There are 2 buttons when adding permissions:
1/Delegated permissions Your application needs to access the API as the signed-in user.
2/Application permissions Your application runs as a background service or daemon without a signed-in user.
However, the 2 is disabled: I can't select it. Why ?
Nov 14, 12:52pm
The "Application permissions" button being disabled typically indicates that the API you are trying to add permissions for does not support application permissions. This can happen for several reasons, such as the API not being configured to allow application permissions or the specific permissions you are trying to add being restricted to delegated permissions only.
For Azure DevOps, certain permissions may only be available as delegated permissions, which require a signed-in user. However, for backend services that need to run without user interaction, you need application permissions.
Here are some steps to troubleshoot and resolve this issue:
Steps to Enable Application Permissions:
Check API Documentation:
Verify the Azure DevOps API documentation to ensure that the specific permissions you need are available as application permissions. Some APIs may only support delegated permissions.
Contact Azure Support:
If the documentation indicates that application permissions should be available but the option is still disabled, you may need to contact Azure support for assistance.
Use a Different API or Permission:
If the specific permission you need is not available as an application permission, consider using a different API or permission that supports application permissions and meets your requirements.
Alternative Approach: Using Service Principal with Delegated Permissions:
If application permissions are not available, you can use a service principal with delegated permissions as a workaround. This approach involves creating a service principal that acts on behalf of a user with the necessary permissions.
Create a Service Principal:
Go to the Microsoft Entra admin center (https://entra.microsoft.com/).
Navigate to "App registrations" > "New registration".
Fill in the required details and register the app.
Note down the "Application (client) ID" and create a new client secret.
Assign Delegated Permissions:
In the registered app, go to "API permissions".
Click on "Add a permission".
Select "APIs my organization uses".
Search for "Azure DevOps" and select it.
Add the necessary delegated permissions (e.g., vso.code).
Click on "Add permissions".
Grant Admin Consent:
After adding the permissions, click on "Grant admin consent for {tenant}" (you need to be an admin to do this).
Confirm the consent request.
Use the Service Principal to Obtain an Access Token:
Use the requests library to obtain an access token using the service principal:
If the "Application permissions" button is disabled, it indicates that the specific API or permission does not support application permissions. In such cases, you can use a service principal with delegated permissions as a workaround. Ensure that the service principal has the necessary permissions granted by an admin. If application permissions are crucial for your use case, consider contacting Azure support for further assistance.