Given an Azure Devops Personal Access Token having access to only 1 Organization, is it possible to fetch which Organization it has access to using the API? Like an introspection endpoint?
Notes:
there is an endpoint listing accounts of a specific user but this requires a PAT with access to all organization (although it is not documented) which is too permissive for my usecase
there is the endpoint listing tokens of the account but it requires a specific tokenAdministration scope which too permissive for my usecase
Based on my knowledge there is currently no direct way to know which organization a PAT has access to.
There are two workarounds you can refer to:
Using this REST API Pats - List to list all PATs in one organization. You need to use OAuth authentication. Then check if your current PAT is in it.
As Vince Bowdren said, use your PAT to try to access the organization, like call some REST APIs, then you know which organization the PAT belongs to. But this is not necessarily successful, because it is related to the scope of your PAT. For example, your PAT belongs to an organization, but the scope of your PAT does not meet the requirements of the API you use.
Related
I'm attempting to use a GitHub Personal Access Token to create a repository webhook on a private GitHub repository my user has access to.
Since this PAT is being used by an automated script, I want its scope to be as limited as possible. As such, I created a PAT with only the admin:repo_hook scope. It seems this scope is too limited, however, as a POST to https://api.github.com/repos/ORGANIZATION/REPO/hooks is returning a 404.
(I've confirmed the repository name and organization name match. The 404 may indicate that the token does not have sufficient permissions to see the repo, as described here)
The API supports Basic Authentication as defined in RFC2617 with a few slight differences. The main difference is that the RFC requires unauthenticated requests to be answered with 401 Unauthorized responses. In many places, this would disclose the existence of user data. Instead, the GitHub API responds with 404 Not Found.
What scopes do I need to add to my Personal Access Token to successfully create a repository webhook?
I figured it out. One additional requirement I overlooked in this case: the user in question wasn't actually an Admin on the repository, meaning even a PAT with full permissions would be unable to create a webhook.
Upgrading the user to Admin on the relevant repository was sufficient to solve this problem.
Occasionally we encounter an Azure DevOps pipeline or piece of code using a token nobody knows where it came from. This should not happen, of course, but by times reality differs from an ideal world.
If I only have an Azure DevOps "Personal Access Token", how can I find out which user it belongs to?
Unfortunately, I am afraid you can't find out which user a PAT belongs to.
The PAT(personal access token) will not be exposed anywhere after you create it, it will just be stored in the database on Microsoft side.
Also, you could not get the related information via the personal access token itself, at most you can use the REST API - Pats - Get to get the PAT related information(e.g. displayname, targetAccounts, etc) via the authorizationId, but if you just have the token itself, you could not fetch the authorizationId firstly.
curl -u :{PAT} https://dev.azure.com/{organization}/_apis/connectionData | jq
I'm using a custom policy in Azure ADB2C to authenticate and authorize users to my API backend. This works fine.
Now I want to add an additional "aud" entry to the Azure ADB2C jwt token such that I can use the same token for a different service which expects this aud entry to be present.
Right now Azure ADB2C fills in the "aud" field with the ApplicationID for which it was created.
Is there a way to add a static entry to the "aud" field in Azure ADB2C?
Based on your description, I think you are expecting to use the same token to access multiple services (please correct me if my understanding is wrong). Unfortunately, you cannot do this.
A token can only correspond to one scope. The access token is issued according to the api audience you want to access, and it is unique! A token can only have one audience, and you cannot use multiple scopes to request access tokens. If you need to access other services, you should obtain a token for each service separately.
Update:
You can put multiple apis of the same type in the scope because they are still of the same type in essence. But it is not acceptable to request the same access token for two different types of APIs.
test1:
test2:
I wonder how I can revoke a PAT token in Azure DevOps which I know only the actual token value of.
The GUI lets me remove my own tokens as long as I know their name, and via API it seems to be possible to remove tokens if their identifier is known only (https://learn.microsoft.com/en-us/rest/api/azure/devops/tokenadmin/revocations/revoke%20authorizations?view=azure-devops-rest-5.1).
If only the token value is known, I would neither know the user it belongs to, nor its id.
I wonder how I can revoke a PAT token in Azure DevOps which I know only the actual token value of.
Azure DevOps doesn't support revoking PAT simply by its value.
With a value alone, Azure Devops has no way to determine which PAT the value belongs to. The name-and-value pairs can only be seen when creating PATs.
In Azure Devops, we can revoke PAT via web portal or REST API. And if you want to revoke a PAT by REST API, you need to know its "authorizationId".
If you have questions about how to get "authorizationId". Click this question for detailed information.
Note that when you use REST API to revoke PAT, you need to use OAuth2 authentication. Click this document for detailed information and methods.
I have a corporate account with OneDrive users. I need to be able to access certain files within those users OneDrive accounts within my organization. For migration and backup purposes.
We do something similar for our Google drive and Box.com accounts where we use JWT authentication to provide a Simulate-User header which makes it so we can access all our users files within our organization if needed. As if we were administrators on a shared drive or something.
Is there a Rest API example of OneDrive JWT service account or something equivalent?
What you need is the client credentials grant flow. This will allow you to obtain an app-only token and make service calls without a user identity. You can read more about it here:
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service
The scopes you will need to request are Files.Read.All, and the consent will need to be granted by the tenant admin. You can read more about the permissions required for your scenario here (application permissions is what you are looking for):
https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference#files-permissions
Here is a link to a sample Microsoft Graph project which uses app only tokens(we recommend using Microsoft Graph):
https://github.com/microsoftgraph/nodejs-apponlytoken-rest-sample
Or if you are planning on calling directly into the OneDrive API(not recommended), then you can use the following sample:
https://github.com/rgregg/onedrive-app-delegate-sample