Is there any way I can warn my user when they are configuring their task that this particular task requires use of the SYSTEM_ACCESSTOKEN variable? I have added a check in my task:
if($env:SYSTEM_ENABLEACCESSTOKEN -eq $false){throw "OAuth Token Access not enabled! Set in the Agent Phase Options."}
That is ok, but the user won't find out until they have already kicked off a release which in this cause would fail. I didn't see anything in the extension manifest.
Tasks don't need explicit access to the OAuth token. Tasks are always privileged and can request the access token through the VSTS Task SDK.
To access the REST APIs use:
$vssCredentials = Get-VstsVssCredentials
$collectionUrl = New-Object System.Uri((Get-VstsTaskVariable -Name 'System.TeamFoundationCollectionUri'
-Require))
Add-Type -LiteralPath "$PSScriptRoot\Microsoft.TeamFoundation.Core.WebApi.dll"
$projectHttpClient = New-Object Microsoft.TeamFoundation.Core.WebApi.ProjectHttpClient($collectionUrl,
$vssCredentials)
$projectHttpClient.GetProjects().Result
See also:
https://github.com/Microsoft/vsts-task-lib/blob/master/powershell/Docs/FullHelp/Get-VstsTfsClientCredentials.md
https://github.com/Microsoft/vsts-task-lib/blob/master/powershell/Docs/FullHelp/Get-VstsVssCredentials.md
If needed, you can also extract the token from the returned credential.
The Access to OAuth token checkbox is only required when a custom script needs access to the Build's user token.
Related
I am using invoke rest api task in pipeline
I have saved Azure DevOps Pat token in variable with name system.AccessToken
Its giving error unauthorized
I also tried converting PAT token to base64 and then saving in variable. Its still showing same error.
What value do I need to provide for system.AccessToken ?
You do not need to add PAT token to your variables. System.AccessToken is a special variable that carries the security token used by the running build.
In addition, you are using Invoke Rest API task in an agentless job, so you also don't need to set "allow scripts to access the OAuth token" option.
Here is my sample and it works well:
1.Create service connection:
2.Configuration of Invoke REST API task:
We have an app which uses the OAuth auth Code grant type. We are trying to restrict session tokens and limiting to 10 minutes however after applying the policy it is not working and users stayed logged in on browsers.
Can you please suggest If we missing something, we are using the below policy :
$policy = New-AzureADPolicy -Definition #('{"TokenLifetimePolicy":{"Version":1,"MaxAgeSessionSingleFactor":"00:10:00","MaxAgeSessionMultiFactor":"00:10:00"}}') -DisplayName $policyName -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
Please do not use that, as per the link that Joy posted. https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes
Microsoft is deprecating this. and changing to authentication session management capabilities in the aad Conditional access menus.
"After hearing from customers during the preview, we've implemented authentication session management capabilities in Azure AD Conditional Access. You can use this new feature to configure refresh token lifetimes by setting sign in frequency. After May 1, 2020 you will not be able to use Configurable Token Lifetime policy to configure session and refresh tokens. You can still configure access token lifetimes after the deprecation."
Here is the link: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime
This feature is in preview - Configurable token lifetimes in Azure Active Directory (Preview), also the New-AzureADPolicy command just belongs to the AzureADPreview module.
Currently, it just works with the parameter -IsOrganizationDefault $true, the feature may have not been implemented completely.
$policy = New-AzureADPolicy -Definition #('{"TokenLifetimePolicy":{"Version":1,"MaxAgeSessionSingleFactor":"00:10:00","MaxAgeSessionMultiFactor":"00:10:00"}}') -DisplayName $policyName -IsOrganizationDefault $true -Type "TokenLifetimePolicy"
Update:
Sorry for my oversight, the solution above is what I test in this post on 2020/4/17, but there is an update in this doc as #alphaz18 mentioned:
So if you want to configure the session lifetime, you need to use the new feature - Configure authentication session management with Conditional Access.
I have custom extension attributes in an Azure Active Directory (mapped via Azure AD Connect). The extension attributes on Azure AD take the form extension_<uniqueid>_<attributename>.
I want to expose several extension attributes to an application when the user logs in via Open ID Connect. The attributes should be included in the JWT token.
I tried using the approach from the Microsoft Page creating a policy and assigning it to the Service Principal ID of the application that wants to receive the token at login.
These are the powershell commands I used.
Connect-AzureAD -Confirm
New-AzureADPolicy -Definition #('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true","ClaimsSchema":[{"Source":"user","ID":"extension_uniqueidretracted_extensionAttribute13","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/extensionAttribute13","JwtClaimType":"MyCustomClaim1"},{"Source":"user","ID":"extension_uniqueidretracted_extensionAttribute14","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/extensionAttribute14","JwtClaimType":"MyCustomClaim2"}]}}') -DisplayName "ExtensionAttributeMapping" -Type "ClaimsMappingPolicy"
Add-AzureADServicePrincipalPolicy -Id <ObjectId of the ServicePrincipal> -RefObjectId <ObjectId of the Policy>
Creating and assigning the policy works, but the attributes are still not included in the token.
What do I need to do to make this work?
Make sure that you set the acceptMappedClaims to true in the application's manifest in Azure AD.
Try using "ExtensionID":"extension_uniqueidretracted_extensionAttribute13" instead of "ID":"extension_uniqueidretracted_extensionAttribute13" in the ClaimsMappingPolicy.
You;d need to use the optional claims feature to get the information in the extension attributes available in the access tokens.
Please go through the doc Configuring directory extension optional claims, which explains how this is achieved.
Context
I use a PowerShell Script with an Azure PowerShell task (Task version 4.* preview) to trigger the most recent release of a certain release pipeline. After retrieving the id of the last release as well as the id of the related environment via
GET https://vsrm.dev.azure.com/$azureDevOpsOrganizationName/$azureDevOpsProjectName/_apis/release/deployments?queryOrder=descending&`$top=1&definitionId=$azureDevOpsReleasePipelineId&definitionEnvironmentId=$azureDevOpsReleaseEnvironmentId&api-version=5.0
I want to make a PATCH REST Call to trigger the related release via
PATCH https://vsrm.dev.azure.com/$azureDevOpsOrganizationName/$azureDevOpsProjectName/_apis/Release/releases/$lastDeploymentId/environments/$($lastDeploymentEnvironmentId)?api-version=5.0-preview.6
with the following body
$triggerMostRecentReleaseBody = #{
comment = 'some comment'
status = 2
scheduledDeploymentTime = $null
}
$triggerMostRecentReleaseBodyJSON = $triggerMostRecentReleaseBody | ConvertTo-Json
To be able to make these REST Calls I enabled the OAuth token for being available in the pipeline:
and retrieve the token via $env:SYSTEM_ACCESSTOKEN in the PowerShell script.
The Issue
The GET request works perfectly fine but when executing the PATCH Call it returns the error
(403) Forbidden
So the question is how to enable the OAuth token to make these kind of REST Calls?
The issue is that the permissions related to the OAuth token are not sufficient by default to make the PATCH Call.
To grant the necessary permissions add the Project Collection Build Service (xxx) user to the Project Administrators group:
I'm trying to use the TFVC API from a build task without using Personal Access Token.
I've read that if I'll use the Client SDK it should authenticate automatically but I'm failing to get it working.
Another alternative I'm considering is to run tf.exe but it requires authentication as well.
Basically I would like to get the changesets for a certain build using my Build Task with minimum info from the user (hence I don't want Personal Access Token or Username/Password).
Is that doable?
You should be able to authenticate with an OAuth token. It's populated in the build variable $(System.AccessToken) or the environment variable SYSTEM_ACCESSTOKEN.
You provide it to the REST API with the header Authorization set to Bearer [token], where [token] is the OAuth token value.
If you queue a build with TFVC repository and then check the logs for "Get Sources" step, you will find how to use TF.exe to get source during the build.And then you can copy the command and use it in a CommandLine/PowerShell task like following:
Make sure that "Allow Scripts to access token" option is enabled.