Is there are VSTS REST endpoint I can connect to in order to let a user self-serve themselves another PAT? Ideally a few days before their current one expires. I have a time sheet application that is now connecting to VSTS to get Workitem information and to update said Workitem. However, at some point (90 days, 180 days or a year later) the PAT will expire. I would rather them not have to leave the application to generate a new one and save it in my application at each interval. I would love for them to just click a button to generate it again from my app. It would be secure seeing that I would connect to the REST endpoint with their current PAT.
There isn’t official API to get Personal Access Token programmatically.
You may consider OAuth: Authorize access to REST APIs with OAuth 2.0
Related
Is it possible to pull work items from the DevOps API without needing a user to be logged in to get an access token every time?
I am trying to create a back-end service that pulls work items from the API every so often to generate a report. Can I just generate a one-time access key to use with that back-end service?
I've looked around the documentation, but it seemed like it all requires either a PAT or Azure Active Directory authorization/authentication.
Here's the docs for the API: Link
you can do something like this https://learn.microsoft.com/en-us/azure/devops/organizations/settings/manage-authorizations?toc=%2Fazure%2Fdevops%2Forganizations%2Ftoc.json&bc=%2Fazure%2Fdevops%2Forganizations%2Fbreadcrumb%2Ftoc.json&view=azure-devops
and
https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops
Basically authorize applications to use devops based on your credentials using oauth. similar to an app registration.
Thats the only way I can see without PAT and manual login each time.
Instead of your personal account, you could create a fake AAD user then add it to your Azure DevOps Service.
Use that account to create a Personal Access Token. Similar to Build Service account to pull source code/work items. This should be a easy way to track everything.
But the limitation here is also obvious: this needs involvement of IT department, and also causes additional costs, since every user is billed.
Allow personal access tokens that do not expire is not supported right now. There is a related user voice.
As an alternatively way you could use OAuth just as alphaz18 suggested. Details please refer-- Authorize access to REST APIs with OAuth 2.0
I want to enable multiple AD authentication using OAuth Prompt in my BOT that i have developed.Currently, there is only one connection that it is taking through which our project AD is getting hit and the credentials are validated. But, i want the same O-Auth prompt to work for different AD's at a time in the BOT which was created using MS Bot framework V4 SDK in C#.
To clearly explain my query, let me take and example and also let me tell you the steps i have followed for enabling the Authentication in my BOT:
MS Bot deployed to AZURE
In the setting of WebApp Bot created OAuth Connection setting with Name: OauthConnection by providing my AZURE AD client ID and secret during creation. Tested the connection it was successful.
In my BOT code, used OAuthPrompt method for enabling the authentication and to it passed the Connection name as "OauthConnection" which was created in STEP #2
Added this Prompt method to the Dialog stack
Now my Bot code when executed gives me sign in option where if i enter the required credentials, it gets validated against the AZURE AD using the connection name provided in the OAuth Prompt method where in turn the required client ID was given
Now if we observe, The credentials are validated against the AZURE AD of which the connection name was given
What I Want to achieve is:
How to make the OAuth Prompt method such that it supports Multiple ADs simultaneously at a time?
Meaning, if my AD uses the domain as #axct.com and another AD uses domain as #avabt.com currently the oauth prompt if configured using above steps either supports the authentication of AD which uses login as #axct.com or #avabt.com at any given point of time but not both at a time in parallel.
I want to enable it such that it uses both AD for authentication at any given time in parallel such that if i use
john.doe#axct.com and its password during login it should successfully authenticate and return the respective Token at the same time if I use john.john#avabt.com as login credentials with proper password it should still successfully authenticate and return me the Token such that i can retrieve the user name from using the returned token using graph API.
How to achieve this is my query or issue as i am not sure how to do it?
Similarly, how to enable for any given AD like social networking sites, google or any other credentials using single Oauth Prompt method.
Is this can be achieved using Oauth Prompt? If yes please explain in detailed guide step by step manner in solving this issue as i am new to BOT and coding
or this is wrong expectation we have to use another method and not Oauth prompt?
Please explain in detailed guide step by step manner in solving this issue as i am new to BOT and coding.
Language: C#
Bot SDK: V4
Thanks in Advance
Regards
-ChaitanyaNG
Expected Result: Enable multiple AD authentication at a any given point of time using OAuth prompt in BOT SDK V4 code done in C# such that it works in parallel
Actual Result: Only one AD authentication works
Update to the query: 14 Aug 2019 -
To make my query more easily understandable-
How to make/convert my BOT using OAuth Prompt for authentication such that it works as a multi-tenant SaaS application using Azure AD?
Please help me with this query or issue so that i can implement it in my BOT having Water Fall Dialog.
The sample bots are configured to only look for one connection string. This leaves you with two options:
1) you can configure your dialogs to branch based on user input of what type of domain they're going to be using. Then, based on the dialog, for example axctDialog.cs or avabtDialog.cs, an auth prompt could be created, and it would use the connection string you have for it in appsettings. This would mean, however, asking your users to select their domain before signing in, something they might find tedious and extraneous.
2) When you create your Azure AD application (what you created in order to create the connection string on the bot), you create it to be multi-tenant. Much simpler. If you've already created your AAD app, you can go into the app manifest and change the values. For example, signInAudience would need to be set to either AzureADMultipleOrgs or AzureADandPersonalMicrosoftAccount and the endpoint would be common instead of the tenant domain. More details about this can be read here.
Beside your Bot registration (Bot app id and app password), you must have a separate AAD app registered for your bot service.
If that's the case, just register your AAD app as multi tenant.
One thing to note, when you create the OAuth2 settings for this app in your Azure bot service registration (or channel registration), you need to set the "TenantId" setting to be "common" - this doesn't seem to be documented anywhere.
BTW if you just want to build relatively simple bots, check out my recent Github repo. It has built in generic code written to handle auth and token exchange for you and a lot more.
I am developing a .NET(C#) application with QuickBooks integration using Intuit API. I’ve created 2 Intuit Accounts, say A and B, with different QuickBooks data.
I connect and authorize Intuit account A and create a Client, C1, with same in my application. Then I connect and authorize B and create another Client, C2, in my application. Till this point everything works fine. I save the oAuth information like access token, access token secret, key etc. in database when I create the Clients. And fetch the respective information when I want to edit a particular Client.
(Remember my application was last authorized Intuit Account B when C2 was created)
Now, at this moment, if I go to Client C1 which is connected with Intuit Account A, and try to fetch quickbooks data, without going through default connect and authorize process of intuit using “connect to intuit” button, it gives me “Unauthorized-401” Error, even though I am providing oAuth information like access token, secret, key etc. which was saved in local database during Client creation. QuickBooks throws error as soon as I fire API method to fetch data.
I don’t want my application to manually connect and authorize Intuit account process every time it tries to fetch data from a different Intuit account, As there is an automated background job which sync every Client’s QuickBooks data after every 24 hrs. It is not possible to manually authorize the same with that job.
What I am missing here? What should I do? Do I need to purchase any Partner License or something ?
For a given apptoken, consumerKey and consumerSecret only one user of a particular QBO account will have valid OAuth credential.
If a second user of that particular company goes through C2QB cycle(OAuth handshake) to generate new accessToken and accessSecret then the previous tokens get invalidated.
There is no need for going through OAuth cycle each time when end user access your app.
You can associate the end user's SSO id with valid OAuth tokens in DB for the very first time when he generates OAuth tokens(using C2QB button ). From next time onwords just have him go through intuit's SSO flow, fetch OAuth credentials based on his SSO identifier and allow him to access his data using his that previously saved credential.
Thanks
For a master admin of a company file, tokens cannot be invalidated unless Connect to Quickbooks(C2QB) is used for the same realm by your app. Only this can render the tokens invalid.
Please check if you are saving the tokens in some temp store and not deleting/cleaning it which can cause expiring of tokens.
Since, the two QBO accounts/realms A and B and the admins(C1 and C2) are not related, there is no reason that generating the oauth tokens for B could cause tokens to expire for A.
I want to start with graph Api in windows application. I created a facebook app and see some articles about graph Api but unfortunately I did not understand. I want to get data like: Messages, Events, Friends, Wall posts,... from facebook.
What is the first step for this?
What is access token and if it is a constant string or changes for every request?
Do you have a very basic sample for this?
Any help will be so appreciated.
Access token will expire in 2 to 3 hours and we can extend it for 60 days. For that we need to create an application in facebook. And based on this access token will be vary and not constant.
** What is Access Token **
An access token is a random string that gives an app temporary and secure access to Facebook APIs. And access token can be created on behalf of a person, a Facebook Page or an app. The token is generated in the last step of the login flow. Facebook SDKs handle the generation and storage of tokens automatically. Apps using other methods will need to follow the login flow to create tokens.
The token stores information about permissions that have been granted as well as information about when the token will expire and which app generated it. To maintain information security, almost all API calls at Facebook need to have an access token passed in the parameters of the request.
Go through this link for Graph API
I'm just getting into the Graph API and am having having a hard time trying to figure out if/how I can go about showing MY profile albums on My website with out having to have the user log into facebook. I'm getting thrown off with the access token...I realize I can retreive an access token to retreive my photos if I have someone log on to the site, but I want it to be transparent, using my credentials through code (securely) some how if necessary.
How can I accomplish this? I'm looking for a general conceptual explaination, but pseudo code never hurts. Can any one clear it up for me a little?
Using:
Facebook Javascript Sdk
Mirosoft MVC
Facebook C# Sdk
There's no way, that I'm aware of, to do that.
Facebook apps treat all users the same, you can't have special privileges for your user.
If your user is public then you should be able to get all of the public using an application access token which does not expire.
If that's not the case then you have two options as I see it.
Use the server side authentication with your user, or extend a valid token (a method to replace the deprecation of the "offline_access" permission), that will get you a long lived token, about 60 days, and in that time frame you can then get your data from facebook.
Then when that expires re-authenticate in the same way and get another 60 working days, etc.
Another approach is to authenticate as yourself and then have your app save the data, then present it from your own db.
Be sure to update the data every once in a while.