Azure DevOps OAuth organization policies API - azure-devops

is there a way to know via API what is the organization policy for 3rd party OAuth requests?
i want to know if i should ask my user to authenticate with his credentials or generate PAT

is there a way to know via API what is the organization policy for 3rd
party OAuth requests?
You can use this api which I fetched from F12:
Get https://dev.azure.com/{YourOrgName}/_settings/organizationPolicy?__rt=fps&__ver=2
The response would contain the info about Application Connection Policies:
"ms.vss-admin-web.organization-policies-data-provider": {
"policies": {
"applicationConnection": [
{
"policy": {
"name": "Policy.DisallowOAuthAuthentication",
"value": false,
"effectiveValue": true,
"parentPolicy": {
"name": "Policy.DisallowOAuthAuthentication",
"value": false,
"effectiveValue": true,
"isValueUndefined": true
}
},
"learnMoreLink": "https://aka.ms/vstspolicyoauth",
"description": "Third-party application access via OAuth",
"applicableServiceHost": 1
},
{
"policy": {
"name": "Policy.DisallowSecureShell",
"value": false,
"effectiveValue": true,
"isValueUndefined": true,
"parentPolicy": {
"name": "Policy.DisallowSecureShell",
"value": false,
"effectiveValue": true,
"isValueUndefined": true
}
},
"learnMoreLink": "https://aka.ms/vstspolicyssh",
"description": "SSH authentication",
"applicableServiceHost": 1
}
]...
The effectiveValue(not value node) node under corresponding policy node should represent whether you enable/disable the policies above in your pic. E.g: The effectiveValue node under first policy node would be false if the Third-party application access via OAuth is disabled.

Related

Is Attestation Verifiable Credentials Type repo demo available in c#?

I have tested successfully idtokenhint demo and I am trying unsucessfully attestation verifiable credentials type , similar to the Woodgrave Employee Onboarding Demo, is this code available in c#?
In my case I need the Authenticator to request the VerifiedCredentialExpert VC first but I don't see how to trigger this on Authenticator, I tried this on issuance_request_config.json file, I also tried adding requestedCredentials to type VerifiedCredentialExpert as you see below to suggest to Authenticator to get this first, but didn't change the error behaviour:
"includeQRCode": false,
"callback": {
//In this sample code we will overwrite the callback and use the HOSTNAME dynamicall
//make sure you use ngrok or something like that when running on a local devbox.
//The MS AAD VC Request service needs to be able to reach the callback URI
"url": "https://YOURPUBLICREACHABLEHOSTNAME/api/issuer/issuanceCallback",
"state": "STATEWILLBESETINCODE",
"headers": {
"api-key": "OPTIONAL API-KEY for ISSUANCE CALLBACK API"
}
},
//The Authority is the DID from your MS AAD Verifiable Credential service, you can copy this from the VC page in azure portal
"authority": "did:ion: THIS IS YOUR DID FROM THE VC PAGE IN AZURE PORTAL WHICH IS SET IN THE SAMPLE BY COPYING THE VALUE FROM APPSETTINGS.JSON ",
"registration": {
"clientName": "Verifiable Test Register Verifiable Credential"
},
//The type needs to be the same as defined in the rules json definitione. The manifest can be copied after the credential has been
//created in the azure portal
"type": "VerifiedTestRegistration",
"manifest": "CREDENTIAL URL IN THIS SAMPLE WILL BE COPIED FROM APPSETTINGS.JSON",
//Recommendation is to protect issuance payload with a PIN code.
//The pincode is set to a random value in code and will be displayed in the UI to the user
"pin": {
"value": "123456",
"length": 4
},
//This is an example payload which will be used in the rules file of the credential.
//The rules files maps information from the ID Token (hint) to the VC
"claims": {
"country_of_registry": "",
"registration_number": "",
},
//You can request multiple verifiable credentials at once that's whty the requestCredentials is an array
"requestedCredentials": [
{
"type": "VerifiedCredentialExpert",
"purpose": "Required presentation of verifiable credentials expert to get Test Registration card.",
//You can trust multiple issuers who might be issuing the same credential type (for example certifications or diplomas)
//You need to specify at least 1 trusted issuer DID, for this sample code we copy the IssuerAuthority from appsettings to the request
//"acceptedIssuers": [ "did:ion: copied from your VC portal in this sample the code copies it from APPSETTINGS.JSON" ]
"acceptedIssuers": [ "theaccepetedidissuer" ]
}
]
}
These are the display and rules:
Display definition
{
"locale": "en-US",
"card": {
"title": "Test Verified Credential",
"issuedBy": "TheIssuer",
"backgroundColor": "#000000",
"textColor": "#ffffff",
"logo": {
"uri": "https://example.com/image.png",
"description": "Test Verified Credential"
},
"description": "Use this card to verify."
},
"consent": {
"title": "Do you want to get your Test Verified Credential?",
"instructions": "Sign in with your Verified Credential Expert Card to get your card."
},
"claims": [
{
"claim": "$.vc.country_of_registry",
"label": "Country of Registry",
"type": "String"
},
{
"claim": "$.vc.registration_number",
"label": "Registration Number",
"type": "String"
}
]
}
Rules definition:
{
"attestations": {
"presentations": [
{
"mapping": [
{
"outputClaim": "firstName",
"required": true,
"inputClaim": "$.vc.credentialSubject.given_name",
"indexed": false
},
{
"outputClaim": "lastName",
"required": true,
"inputClaim": "$.vc.credentialSubject.family_name",
"indexed": false
}
],
"required": true,
"credentialType": "VerifiedCredentialExpert",
"contracts": [
"https://verifiedid.did.msidentity.com/v1.0/tenants/id/verifiableCredentials/contracts/abcd/manifest"
],
"trustedIssuers": [
"did:ion:thedid"
]
}
],
"idTokenHints": [
{
"mapping": [
{
"outputClaim": "countryOfRegistry",
"required": true,
"inputClaim": "$.country_of_registry",
"indexed": false
},
{
"outputClaim": "registrationNumber",
"required": true,
"inputClaim": "$.registration_number",
"indexed": true
}
],
"required": true
}
]
},
"validityInterval": 2592000,
"vc": {
"type": [
"VerifiedTestRegistration"
]
}
}
I am testing on iphone12 pro latest iOS version installed.
Question as posted in this git project but unfortunately got no help.
Thank you for your help, Sergio

Create a new user trough AWS ApiGateway secured with Cognito - how to allow access to the users before it is created?

I have an API in AWS API gateway secured with AWS-Cognito. In order to use the endpoint the user must to be recognized by Cognito that will return a token.
The question here is related to the CREATE USER process. In order to use this endpoint the user must to exist in the Cognito, then receive the token and use it to connect to the CREATE USER endpoint. But at the moment of the creation of the user in the database (api-endpoint) the user is not created in Cognito and has no permission to get access to the API.
So, how should be the best approach to this process?
You don't need to always use the TOKEN authorizer. API Gateway allows you to configure another type of authorizer: REQUEST.
In that case it's entirely up to you how you want to tell if someone is (or is not) authorized to make a call to your API endpoint.
The event will look something like this (taken from AWS documentation):
{
"type": "REQUEST",
"methodArn": "arn:aws:execute-api:us-east-1:123456789012:abcdef123/test/GET/request",
"resource": "/request",
"path": "/request",
"httpMethod": "GET",
"headers": {
"X-AMZ-Date": "20170718T062915Z",
"Accept": "*/*",
"HeaderAuth1": "headerValue1",
"CloudFront-Viewer-Country": "US",
"CloudFront-Forwarded-Proto": "https",
"CloudFront-Is-Tablet-Viewer": "false",
"CloudFront-Is-Mobile-Viewer": "false",
"User-Agent": "..."
},
"queryStringParameters": {
"QueryString1": "queryValue1"
},
"pathParameters": {},
"stageVariables": {
"StageVar1": "stageValue1"
},
"requestContext": {
"path": "/request",
"accountId": "123456789012",
"resourceId": "05c7jb",
"stage": "test",
"requestId": "...",
"identity": {
"apiKey": "...",
"sourceIp": "...",
"clientCert": {
"clientCertPem": "CERT_CONTENT",
"subjectDN": "www.example.com",
"issuerDN": "Example issuer",
"serialNumber": "a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1",
"validity": {
"notBefore": "May 28 12:30:02 2019 GMT",
"notAfter": "Aug 5 09:36:04 2021 GMT"
}
}
},
"resourcePath": "/request",
"httpMethod": "GET",
"apiId": "abcdef123"
}
}
Then you need to tell API Gateway that it can pass this response through:
{
"principalId": "any-identifier-you-choose-like-uuid",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": "arn:aws:execute-api:eu-west-1:111111111111:abcdef/prod/GET/myresource"
]
}
}
There is also caching policy involved, but this should be enough for you to start.

How to find disabled azure services in azure devops project

We can disable azure devops services form UI
Is there any API available to GET the info about enabled / disabled services ?
Like in above image boards is disabled , Can I find this info using API ?
This is an feature in Project Settings.
I checked the related REST API and Azure CLI for Team Projects, however I did not find any available interface can list the info about enabled / disabled services, also no available interface to enabled / disabled services.
So, I think your question is more like a feature request. I recommend that you can report the feature request to Developer Community.
[UPDATE]
I found below API from the Network logs of the web browser (press F12). I have tested this API on my side, it should be the one you are looking for.
Request URI:
POST https://dev.azure.com/{Organization_name}/_apis/FeatureManagement/FeatureStatesQuery/host/project/{Project_id}?api-version=4.1-preview.1
Request Body:
{
"featureIds": [
"ms.vss-work.agile", // Boards
"ms.vss-code.version-control", // Repos
"ms.vss-build.pipelines", // Pipelines
"ms.vss-test-web.test", // Test Plans
"ms.feed.feed" // Artifacts
],
"featureStates": {},
"scopeValues": {
"project": "{Project_id}"
}
}
Response Body:
{
"featureIds": [
"ms.vss-work.agile",
"ms.vss-code.version-control",
"ms.vss-build.pipelines",
"ms.vss-test-web.test",
"ms.feed.feed"
],
"featureStates": {
"ms.vss-work.agile": {
"featureId": "ms.vss-work.agile",
"scope": {
"userScoped": false,
"settingScope": "project"
},
"state": "disabled"
},
"ms.vss-code.version-control": {
"featureId": "ms.vss-code.version-control",
"scope": null,
"state": "enabled"
},
"ms.vss-build.pipelines": {
"featureId": "ms.vss-build.pipelines",
"scope": null,
"state": "enabled"
},
"ms.vss-test-web.test": {
"featureId": "ms.vss-test-web.test",
"scope": null,
"state": "disabled",
"reason": "\"Test Plans\" is off because the \"Boards\" feature is off. In order to manage \"Test Plans\", you must turn on \"Boards\".",
"overridden": true
},
"ms.feed.feed": {
"featureId": "ms.feed.feed",
"scope": null,
"state": "enabled"
}
},
"scopeValues": {
"project": "{Project_id}"
}
}
The right name of the features are:
ms.vss-build.pipelines [Azure Pipelines]
ms.vss-test-web.test [Test Plans]
ms.vss-work.agile [Azure Boards]
ms.vss-code.version-control [Azure Repos]
ms.azure-artifacts.feature [Azure Artifacts]

Data Factory MSI authentication with Azure Event Hub through Web Activity

I am trying to send messages to an Event Hub through Data Factory's Web activity.
My Data Factory is set up with a system assigned managed identity (MSI), and that identity has been given the "Azure Event Hubs Data Sender" role on the Event Hubs Namespace (RBAC / IAM).
The Web activity is set up as follows:
{
"name": "Send to Event Hub",
"type": "WebActivity",
"dependsOn": [],
"policy": {
"timeout": "7.00:00:00",
"retry": 0,
"retryIntervalInSeconds": 30,
"secureOutput": false,
"secureInput": false
},
"userProperties": [],
"typeProperties": {
"url": "https://<eventhubnamespace>.servicebus.windows.net/<eventhub>/messages?timeout=60&api-version=2014-01",
"method": "POST",
"body": {
"DeviceId": "dev-01",
"Temperature": "37.0"
},
"authentication": {
"type": "MSI",
"resource": "https://servicebus.azure.net"
}
}
}
Unfortunately, it seems that the request is always unauthorized. The web activity fails with the following message:
{
"errorCode": "2108",
"message": "Invoking Web Activity failed with HttpStatusCode - 'Unauthorized'.",
"failureType": "UserError",
"target": "Event Hub",
"details": []
}
I also tried specifying the Content-Type header according to the send event REST API docs, but it made no difference.
According to this article, it should be possible to authenticate against Event Hub using a Service Principal with OAuth2.0 Bearer token. My understanding is that ADF's MSI is no different than a Service Principal, except that I don't have to manage the secrets and tokens on my own. What am I missing?

API POST not applied to branch with Azure DevOps Server (2019 Update 1)

I'm puzzled with the Azure DevOps API POST. I've successfully created a policy for "Minimum number of reviewers" but it's not being created against the branch I'm specifying. I've done this in Fiddler for the moment, here's my request (private values obfuscated):
POST http://our-tfs-server:8080/tfs/TheCollection/TheProject/_apis/policy/configurations?api-version=5.1 HTTP/1.1
Content-Type: application/json; charset=utf-8
Host: our-tfs-server:8080
Authorization: Basic MyBase64EncodedToken
{
"IsBlocking": true,
"IsEnabled": true,
"Settings": {
"MinimumApproverCount": 2,
"Scope": [
{
"RefName": "refs/heads/master",
"MatchKind": "exact",
"RepositoryId": "7718333c-044e-423a-baa1-45e6a1f0ff41"
}
]
},
"Type": {
"Id": "fa4e907d-c16b-4a4c-9dfa-4906e5d171dd"
}
}
and here's the response body:
{
"createdBy": {
"displayName": "Surname, Firstname",
"url": "http://our-tfs-server:8080/tfs/TheCollection/_apis/Identities/SomeString",
"_links": { "avatar": { "href": "http://our-tfs-server:8080/tfs/TheCollection/_apis/GraphProfile/MemberAvatars/win.SomeString" } },
"id": "7b40f8ab-a933-4b43-bdf8-bf0b179d28e6",
"uniqueName": "MyUsername",
"imageUrl": "http://our-tfs-server:8080/tfs/TheCollection/_api/_common/identityImage?id=SomeString",
"descriptor": "win.SomeOtherString"
},
"createdDate": "2020-01-23T02:09:34.4738854",
"isEnabled": true,
"isBlocking": true,
"isDeleted": false,
"settings": {
"minimumApproverCount": 2,
"creatorVoteCounts": false,
"allowDownvotes": false,
"resetOnSourcePush": false,
"scope": [ { "repositoryId": "7718333c-044e-423a-baa1-45e6a1f0ff41" } ]
},
"_links": {
"self": { "href": "http://our-tfs-server:8080/tfs/TheCollection/8b7e65ed-1136-4b0f-9780-de2a3860447a/_apis/policy/configurations/254" },
"policyType": { "href": "http://our-tfs-server:8080/tfs/TheCollection/8b7e65ed-1136-4b0f-9780-de2a3860447a/_apis/policy/types/fa4e907d-c16b-4a4c-9dfa-4906e5d171dd" }
},
"revision": 1,
"id": 254,
"url": "http://our-tfs-server:8080/tfs/TheCollection/8b7e65ed-1136-4b0f-9780-de2a3860447a/_apis/policy/configurations/254",
"type": {
"id": "fa4e907d-c16b-4a4c-9dfa-4906e5d171dd",
"url": "http://our-tfs-server:8080/tfs/TheCollection/8b7e65ed-1136-4b0f-9780-de2a3860447a/_apis/policy/types/fa4e907d-c16b-4a4c-9dfa-4906e5d171dd",
"displayName": "Minimum number of reviewers"
}
}
Note that "scope": [ { "repositoryId": "7718333c-044e-423a-baa1-45e6a1f0ff41" } ] only has the repositoryId.
In the UI on the policies for the branch the Minimum Number of reviewers option is not ticked and there's no version of the question at a full Repository level. If I call /_apis/policy/configurations then I see the new policy so it has been created. Perhaps this will now guard all branches with the policy, but we don't want it at a global level and given there's no tooling in the DevOps web ui for it I'm pretty sure it's not intended to be like that anyway.
So, is this an oversight in the way the API functions or is the branch to apply the policy configuration to set using another technique?
So...the answer lay in the capitalisation of property names on the json request body. Whilst json is not case sensitive and the request I was making was returning 200 and a valid body internally, the server was falling apart on the setting of the branch to apply the Policy Configuration to. NewtonSoft was serialising property names with capital letters at the beginning and I found that using lowercase fixed the original issue and the returned object which was created then had the refName and matchKind assigned and the MinimumNumberOfReviewers check box was ticked and the number set to 2. Why MS have failed to serialise only one or 2 properties is a little weird, at any rate I applied JsonSerializationSettings globally to avoid the need for adding JsonPropertyAttribute everywhere as well as ignoring null properties.