I am working on script where I need to find if PAT has full scope or not.
I found following information In Microsoft Docs -
GET https://vssps.dev.azure.com/{organization}/_apis/tokenadmin/personalaccesstokens/{subjectDescriptor}?api-version=6.0-preview.1
Using this API I can find all the PATS and their names , scope and more details for particular user.
I do not want to pass PAT name in script and then find out scope for it.
I want to use PAT token and return scope for the given PAT token
Is there any API available to achieve this ?
I do not want to pass PAT name in script and then find out scope for it.
I want to use PAT token and return scope for the given PAT token
I am afraid there is no such way to return PAT scope via PAT token instead of PAT name at this moment.
Just as return of the REST API Personal Access Tokens - List:
{
"clientId": "00000000-0000-0000-0000-000000000000",
"accessId": "439729fa-be4e-49b2-8530-263cf053d786",
"authorizationId": "a451306e-621d-4a6c-8c54-9096493a40f9",
"hostAuthorizationId": "00000000-0000-0000-0000-000000000000",
"userId": "c1b9603c-da3a-410e-9e59-074dcee61dcc",
"validFrom": "2021-01-07T00:00:00",
"validTo": "2021-02-06T00:00:00",
"displayName": "TestPATA1",
"scope": "app_token",
"targetAccounts": [
"c519b80d-5d71-46b3-a8e0-3edf8c026ea2"
],
"token": null,
"alternateToken": null,
"isValid": true,
"isPublic": false,
"publicData": null,
"source": null,
"claims": null
},
The response body does not contain the value of the PAT token, therefore, we could associate the value of the PAT token with each PAT.
On the other hand, when we create the PAT, we will receive the message:
Warning - Make sure you copy the above token now. We don't store it and you will not be able to see it again.
For security reasons, Azure devops does not save the PAT value we created. Therefore, there will not be any attributes such as saving or recording the PAT value in Azure devops, so we could not use PAT token as a judgment condition.
Related
i am new at rest api azure and i dont know how to get correct body template of policy.
For example i used :
GET https://dev.azure.com/organization/project/_apis/policy/types?api-version=7.0
and the response are types of policies which i can use but how do i know the construction of the request body? Like this one:
{
"isEnabled": true,
"isBlocking": false,
"type": {
"id": "fa4e907d-c16b-4a4c-9dfa-4906e5d171dd"
},
"settings": {
"minimumApproverCount": 4,
"creatorVoteCounts": false,
"scope": [
{
"repositoryId": "a957e751-90e5-4857-949d-518cf5763394",
"refName": "refs/heads/master",
"matchKind": "exact"
}
]
}
}
Where should I find those request body templates? :(
Resources: https://learn.microsoft.com/en-us/rest/api/azure/devops/policy/configurations/create?view=azure-devops-rest-5.1&tabs=HTTP
Usually, when you could list or get the repo policy correctly, you could use the parameter configuration part of the returning result as the request body in creating the policy with post method.
rest api to list the branch policy.
GET https://dev.azure.com/{organization}/{project}/_apis/policy/configurations?api-version=5.1
with optional parameter
GET https://dev.azure.com/{organization}/{project}/_apis/policy/configurations?scope={scope}&policyType={policyType}&api-version=5.1
You could check the templates below for different configurations in Policy template examples.
Examples
Approval count policy
Build policy
Example policy
Git case enforcement policy
Git maximum blob size policy
Merge strategy policy
Work item policy
If you still don't know how to compose the request body, you could also share your scenario.
i finally made it, it was very hard and i dont understand why Microsoft has so bad documentation.... i had to made it by sending randoms request and look at the elements how the names are... so bad so much time spend...
I'm using the Keycloak Admin Rest API and would like to create a new client scope and get its id.
To create the client scope I use this endpoint:
http://localhost:8080/admin/realms/master/client-scopes
Body
{
"attributes": {
"display.on.consent.screen": "true",
"include.in.token.scope": "true"
},
"name": "example",
"protocol": "openid-connect"
}
This endpoint doesn't return a result but I need the ID.
To get the ID I could get all client scopes and find the scope with the matching name however I would have thought there would be a simpler way.
E.g. GET http://localhost:8080/admin/realms/master/client-scopes then filter through the results to find a matching name.
Is it possible to get a client scope by name?
Is it possible to get a client scope by name?
Unfortunately, not, which is a pity because the 'name' is unique. If you look at the keycloak Rest Admin API you can see the followings GET for the client-scopes:
GET /{realm}/client-scopes
and
GET /{realm}/client-scopes/{id}
And none of those endpoints accepts as parameters 'name'.
Notwithstanding, as #csbrogi and #Jan Garaj have pointed out in the comment section, since you:
(..) create a new client scope and get its id.
You can retrieve the ID of the client-scope that was just created from the header location:
In the Keycloak, usually POST methods returns 201 or 200 OK without body as experienced. Thus, you cannot get the ID directly from response. What you can do is; assign a ID while creating scope as below body and you simply will have it.
{
"id": "da5a68f1-058c-481a-bf84-deb95b1f21aa",
"attributes": {
"display.on.consent.screen": "true",
"include.in.token.scope": "true"
},
"name": "example",
"protocol": "openid-connect"
}
Is there any standard scope claim in OpenID Connect, JWT or OAuth?
In the IdentityServer 4 documentation, the there is a "scope" which is a space-separated string.
{
"client_id": "mobile_app",
"sub": "123",
"scope": "read write delete"
}
But from my IdentityServer 4 instance, I get a "scope" claim in the access token which is a array of strings.
{
// ...
"client_id": "mobile_app",
"sub": "123",
"scope": [ "openid", "profile", "email", "offline_access" ],
"amr": [ "pwd" ]
}
In the OpenID Connect Core 1.0 specification, I do not see "scope" listed as a claim.
In the RFC 7519 JSON Web Token (JWT) specification, I do not see "scope" listed as a claim.
The scope claim was standardized by the Token Exchange RFC. According to the spec it should be a JSON string, with a space-separated scope tokens.
The value of the "scope" claim is a JSON string containing a space-separated list of scopes associated with the token...
Most providers supports the AT+JWT token type and in it is specified that it should include a scope claim:
JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
It says:
If an authorization request includes a scope parameter, the
corresponding issued JWT access token MUST include a scope claim as
defined in section 4.2 of [TokenExchange].
All the individual scopes strings in the scope claim MUST have meaning
for the resource indicated in the aud claim.
Requirements: We would like to create a Variable Group (along with some variables) in a given Project.
Option1: We are able to create a new Variable Group successfully
when we create a request via PostMan using PAT Token which has FULL access.
Option2: Our end goal is to invoke the ADO Rest API in the Web App which uses
OAuth. When the end user logs in and make a call (pls see the input
details below) we are getting '401 Un Authorized - The user is not authorized to access this resource.' error. The Web App's application has the Variable Groups manage scope as shown below.
TroubleShooting: As part of troubleshooting, for Option1 which uses PAT (with full access) in Postman, we have updated the permissions of the PAT to just have Create, Read and Manage Var Groups as shown below.
Now, even the Option1 is not working after making the PAT to have Custom Defined access.
Are we missing something?
Postman Details:
URL: https://dev.azure.com/myorgname/_apis/distributedtask/variablegroups?api-version=6.0-preview.2
Verb: Post
Headers: Authorization: Basic
Body:
{
"name": "This is ignored",
"description": "This is ignored",
"type": "Vsts",
"variables": {
"BuildConfiguration": {
"value": "Release"
}
},
"variableGroupProjectReferences": [
{
"name": "VarGroup",
"description": "The variable group to store the information about the variables using in the Pipeline",
"projectReference": {
"id": "#ProjectId#",
"name": "#ProjectName#"
}
}
]
}
I can also reproduce your issue with option 1, not only Read, create, & manage for Variable Groups, even I select all the scopes via Custom defined, it still does not work.
According to this doc - https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/manage-pats-with-policies-for-administrators?view=azure-devops#restrict-creation-of-full-scoped-pats
Some of our public APIs are currently unassociated with a PAT scope, and can therefore only be used with “full-scoped” PATs. Because of this, restricting the creation of full-scoped PATs might block some workflows. We're working to identify and document the affected APIs and eventually associate them with the appropriate scope. For now, these workflows can be unblocked by using the allow list.
I believe this should be the reason for this issue, there may be some additional permissions to create variable groups. For option 2, there may be a similar cause.
So in this case, you may need to use the Full access PAT temporarily, as mentioned in the doc We're working to identify and document the affected APIs and eventually associate them with the appropriate scope.
I want to assign the realm role "TEST_ROLE_123" to a group, I am using
PUT /admin/realms/ataccamaone/groups/{group-id}
{
"realmRoles":["TEST_ROLE_123"]
}
I got group-id from /admin/realms/ataccamaone/groups/
However I get the response 204 No Content and in the Keycloak console I do not see the assignment.
I tried to reproduce your problem and find that PUT /admin/realms/ataccamaone/groups/{group-id} can only edit group name.
Inspect into "Network" tab of browser, I see it uses another URL to map roles to groups. And steps to do this via Admin REST API are:
Obtain PAT as described in https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_protection_whatis_obtain_pat section
Following steps use this PAT as Bearer token (in "Authorization" header). I guess you've already got this.
Call GET http://localhost:8080/auth/admin/realms/realm1/roles to get list of roles, including their name and id values.
Call GET http://localhost:8080/auth/admin/realms/realm1/groups to get list of groups, including their ids
Call POST http://localhost:8080/auth/admin/realms/realm1/groups/{group-id}/role-mappings/realm with following body:
[
{
"id": "9083cac3-4280-497d-b973-7713a5fb12b4", // role-id
"name": "secretary" // role-name
}
]
Call DELETE with URL and body same as step 4 to remove roles from group.
I've faced same issue and corrected it with using a GROUP, Basically I've added the preferred ROLE into the User Groups ROLE LIST and used that specific user group while creating the user via REST API.
Eg:- ADMIN_USER_GROUP -> INCLUDED ('ADMIN_ROLE')
Then User creation API Request should be like below,
{
"firstName": "Sergey",
"lastName": "Kargopolov",
"email": "test4#test.com",
"enabled": "true",
"credentials": [
{
"value": "123"
}
],
"groups": [
"ADMIN_USER_GROUP"
]
}