We are building an extension on azure devops board to capture time and on submit we need to sent the details to our endpoint for business use case. After the successful install of the azure devops plugin to company, we need to direct the users to our domain for reading the consent and authorize it. When the app is installed, we are getting the post request with the installed details. But since its a post request, i can't redirect the users to browser for authorization with our end point.. so, i am looking for adding a button on the install success page(attached the screenshot of it), so that user can click and authorize it after install, but i couldn't find any option for that. Can some one guide me on this? Thanks in advance.
Related
Currently trying to install a github app on an organization account, and after pressing install, authorize and request button, I'm correctly redirected to my callback url but github doesn't return any information about the fact that it was installed on an organization account and that the request is pending acceptance from an admin user. Is there a way to play around this issue using octokit or github API
I have a Github App that I've created for use in a multi-tenancy website. I'm leveraging the state parameter and the installation ID to link the app installation to the user when the App is installed. However, I've noticed if the user doing the installation of the App isn't an admin on their organization, then it allows them to put the installation into a requested state. The redirect then returns the state parameter but no organization information or installation ID. Even worse, when the admin gets around to approving the request, it does a redirect back to my site with the installation ID but doesn't include the original state.
So my dilemma is I can't do a multi-tenant link on the request side or the approval side, I can only successfully link back if the user is an Admin during the installation step.
Has anyone found a way around this? I've attempted to also load a dropdown on my site with all the organizations in the enterprise that a user is a member of, that way I could add a requested object with the organization name in my database and listen for the webhook when the installation is completed, but that list will only populate organizations where the App has been installed, defeating the purpose.
I'm in the process of building a website integrated around a GitHub App of mine.
This website has its own users (from Google oAuth), who can connect their account to their GitHub account by installing my GitHub application.
There's something in the GitHub App install process I cannot wrap my head around:
After a user installs my App on GitHub:
their browser is redirected to a URL ("Post install Setup URL"), with the install ID in the URL.
GitHub calls my webhook to declare the install
The install ID is a sensible info, as if a malicious user of my website (the attacker) can trick my website into associating their account with the GitHub Install ID of somebody else (the victim), my website would operate on the GitHub API of the victim on behalf of the attacker (which is bad!).
Now, my goal is to securely bind this install ID to the user of my website. By secure, I mean that it is impossible for my website to grant an attacker permissions on a victim GitHub install of my app.
Using the GitHub install ID provided in the "Post install Setup URL" to bind this install to an account of my website is insecure, as I have no way to validate that this install ID "belongs" to the user of my website, as the URL can be forged by an attacker knowing a valid install ID of a victim.
Imperfect mitigations:
assert that the install ID is not bound to any other user account of my website
bad as it could be circumvented if for some reason the legit user was never redirected to my website using the "Post install Setup URL" to bind this GitHub install ID to his account
bad as in any case, this would be vulnerable to a "race" (or timing?) attack on the confirmation (if the attacker manages to confirm the valid install ID before the victim)
use in conjunction of a GitHub API Event event received on a webhook
the webhook is triggered by the Github backend, and thus can't identify of the logged-in website user, which does not help us to bind github install ID to the proper website user.
Am I missing something, or is this a flaw of the App authorization model ?
Found the answer:
I needed to activate "Request user authorization (OAuth) during installation". This way, GitHub answers with a secure token that I can use to validate the installation instead of just the installation ID.
Documentation: https://docs.github.com/en/free-pro-team#latest/developers/apps/identifying-and-authorizing-users-for-github-apps#web-application-flow
Does anybody know if it is possible to prevent a user of Azure DevOps from being able to see code on the web interface and force to checkout locally in order to see it. I am looking this feature in Team Foundation Server 2015 as well.
Does anybody know if it is possible to prevent a user of Azure DevOps from being able to see code on the web interface and force to checkout locally in order to see it.
To achieve this, we could set the access level of that specify user as stakeholder.
In this case, that user do not have permissions to see code on the web interface:
To checkout it locally, we could provide a PAT, which have permission access the repo to the user, so that that user could use git command line to checkout it:
git clone <repo>(https://<PAT>#dev.azure.com/<OrganizationName>/MyTestProject/_git/TestSample) <directory>
Besides, this method should also work for Team Foundation Server 2015.
Update:
is it posible to just restrict view of code on the web for a user with
a visual studio subscription, the porblem is that an stakeholder might
be very limited...
The answer is yes. Go to the Project Settings-> Repositories-> Add a specify user and set the Read permission as Deny:
Then we could not acess the code on the web UI:
I'm developing an azure function in VS Code. I have the Azure Functions extension installed.
I have created the function and its running locally just fine.
But when I sign in to azure using the extension it does not see any of my Azure subscriptions. Therefore I can't select a subscription and deploy the function.
Has anyone else encountered this and found a workaround?
I had the same problem and I was able to sign in by clearing the azure tenant id in the azure extension settings for VS Code
You can try to the following ways to troubleshoot.
1.Go to azure portal and login your account to check if the account has active subscription listed.
2.In VS code, try to sign out and sign in again.
3.Use the below script with azure cli to login your account
az login --debug
4.If you have set MFA for your account, re-open the browser and re-login to the portal, which triggered the wizard for me to configure all needed for MFA authentication. After that, az login works again.
Move your mouse to there, you will see a filter icon.
Click it, then you will find all subscriptions.