Azure DevOps REST API创建个人访问令牌(PAT) - PattokenError:UserIdquired
当我使用get动词时,我可以列出现有的拍拍。
当我使用帖子动词创建PAT时,我会得到200个确定的响应。
有效负载显示:
{“ pattoken”:null,“ pattokenerror”:“ useridRequired”}
此错误在文档中列出,但没有解释如何解决。
var clientBearer = new RestClient(@"https://login.microsoftonline.com");
var requestBearer = new RestRequest($"{tenantID}/oauth2/v2.0/token");
requestBearer.AddHeader("Content-Type", "application/x-www-form-urlencoded");
requestBearer.AddParameter("client_id", appRegistration.appId);
requestBearer.AddParameter("client_secret", appRegistrationSecret);
requestBearer.AddParameter("scope", "499b84ac-1321-427f-aa17-267ca6975798/.default");
requestBearer.AddParameter("username", username);
requestBearer.AddParameter("password", password);
requestBearer.AddParameter("grant_type", "password");
var responseBearer = clientBearer.ExecutePostAsync(requestBearer).Result;
var azureBearerToken = JsonConvert.DeserializeObject<AzureBearerToken>(responseBearer.Content);
var devopsBearerToken = azureBearerToken.token_type + " " + azureBearerToken.access_token;
密码身份验证被选择为唯一可行的非相互作用身份验证方法。该用户正在替换ServicePrincipal/Managendidentity,因为Microsoft不支持DevOps REST API的这些型号,并且并非所有DevOps REST API功能都可以在Azure CLI中使用。
我现在有一个有效的携带者令牌
var devopsClient = new RestClient(@"https://vssps.dev.azure.com");
var patRequest = new RestRequest($"{devopsOrganization}/_apis/tokens/pats?api-version=7.1-preview.1");
patRequest.AddHeader("Authorization", devopsBearerToken);
patRequest.AddHeader("Content-Type", "application/json");
var patListResponse = devopsClient.ExecuteGetAsync(patRequest).Result;
这个响应看起来很棒,而且我知道携带者令牌正在工作。由于这是通过Azure CLI创建的新创建的广告用户,因此我希望我在响应中确实会收到一个空的PAT。
到目前为止,
//create a token
var body = new
{
displayName = "targetName",
scope = "app_token",
validTo = validTo,
allOrgs = true
};
patRequest.AddJsonBody(body);
var patCreateResponse = devopsClient.ExecutePostAsync(patRequest).Result;
最终的回应是问题,它包含Pattokenerror
:UserIdquired
I am able to list existing PATs when I use the GET verb.
I get a 200 OK response when I create a PAT using the POST verb.
The payload shows:
{"patToken":null,"patTokenError":"userIdRequired"}
This error is listed in the documentation but does not explain how to resolve it.
var clientBearer = new RestClient(@"https://login.microsoftonline.com");
var requestBearer = new RestRequest(quot;{tenantID}/oauth2/v2.0/token");
requestBearer.AddHeader("Content-Type", "application/x-www-form-urlencoded");
requestBearer.AddParameter("client_id", appRegistration.appId);
requestBearer.AddParameter("client_secret", appRegistrationSecret);
requestBearer.AddParameter("scope", "499b84ac-1321-427f-aa17-267ca6975798/.default");
requestBearer.AddParameter("username", username);
requestBearer.AddParameter("password", password);
requestBearer.AddParameter("grant_type", "password");
var responseBearer = clientBearer.ExecutePostAsync(requestBearer).Result;
var azureBearerToken = JsonConvert.DeserializeObject<AzureBearerToken>(responseBearer.Content);
var devopsBearerToken = azureBearerToken.token_type + " " + azureBearerToken.access_token;
Password Authentication was selected as the only viable non-interactive authentication method. This user is replacing a ServicePrincipal/ManagedIdentity because Microsoft does not support those models for Devops REST API and not all Devops REST API functionality is available in the Azure CLI.
I now have a valid bearer Token
var devopsClient = new RestClient(@"https://vssps.dev.azure.com");
var patRequest = new RestRequest(quot;{devopsOrganization}/_apis/tokens/pats?api-version=7.1-preview.1");
patRequest.AddHeader("Authorization", devopsBearerToken);
patRequest.AddHeader("Content-Type", "application/json");
var patListResponse = devopsClient.ExecuteGetAsync(patRequest).Result;
This response looks great and I know that the bearer token is working. As this is a newly created AD user created through the Azure CLI I am expecting an empty array of PAT which I do receive in the response.
So far, So good
//create a token
var body = new
{
displayName = "targetName",
scope = "app_token",
validTo = validTo,
allOrgs = true
};
patRequest.AddJsonBody(body);
var patCreateResponse = devopsClient.ExecutePostAsync(patRequest).Result;
This final response is the problem and it contains the
patTokenError : userIdRequired
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
从userIdRequired的错误中,似乎没有从访问令牌提供用户ID或不允许用户。带有“> Access-azure-devops-rest-api-with-oauth ”。
API仅返回错误,例如TF400813:用户GUID不是
被授权访问此资源。。
我自己还是自己检查一下,但是如果为应用程序提供了适当的示波器,请在Azure AD注册中检查,并访问REST API并授予同意。 DevOps可能会导致用户无法通过REST API访问DevOps。
Azure DevOps服务中的服务帐户。
根据 doken lifecycle management rest rest rest API用于Azure Devops Services-Azure Devops Services Services Services Services Services Services Services REST API REST API |微软文档
看起来您已经正确提供了范围,还请确保已授予管理员同意。
另外,请确保提供配置文件用户。在Azure AD中阅读范围,以检查登录的用户配置文件,因为此API仅适用于属于Azure AD租户的用户,并具有有效的Azure订阅。
同样在其他错误的情况下,建议撤销PAT。
从 使用个人访问令牌
注意:
参考:
From the error UserIdRequired, it seems UserId is not provided from the access token or the user is not allowed .See access-azure-devops-rest-api-with-oauth.
APIs return only an error, such as TF400813: The user GUID is not
authorized to access this resource. .
I dint check it myself,but please check , in the azure AD registration, if proper scopes are provided for the application and to access REST API and granted consent.User gets access token for user ,but due to lack of proper permissions to access Azure devops may lead to user not being able to access devops through rest api.
service account in Azure DevOps Service.
According to Token Lifecycle Management REST API for Azure DevOps Services - Azure DevOps Services REST API | Microsoft Docs
It looks like you have provided scope correctly , also make sure it is granted admin consent.
Also make sure to provide profile User.Read scopes in azure ad , to check logged in users profile as this API is only available to users that are part of an Azure AD tenant with an active Azure subscription.
Also for safe side in other cases of PatToken in error, it is recommended to revoke the PAT.
Referred from Use personal access tokens
NOTE:
References: