I have a web app running in Azure within the context of a Managed Identity. This managed identity has been made an owner of the Azure DevOps project. I am attempting to connect to the Azure DevOps API and retrieve list of releases. When working with a PAT token, all is well. When this thing is deployed to WebApp, I am getting the error in question. Managed Identity appears to be correctly configured on the WebApp, as it connects to various Azure resources w/o issues.
What am I missing? This is a greenfield projects, so everything is latest. Using Microsoft.VisualStudio.Services.* v19.225.1 nuget packages
public class VssCredentialProvider : IVssCredentialProvider
{
private readonly IRuntimeEnvironmentQuery _runtime;
private readonly IAppLogger _logger;
private const string AdoAppClientId = "499b84ac-1321-427f-aa17-267ca6975798/.default";
public VssCredentialProvider(IRuntimeEnvironmentQuery runtime, IAppLogger logger)
{
_runtime = runtime;
_logger = logger;
}
public async Task<VssCredentials> GetVssCredentials()
{
if (_runtime.IsDevelopment)
{
var vsoId = System.Environment.GetEnvironmentVariable("VSO_ID")!;
var vsoToken = System.Environment.GetEnvironmentVariable("VSO_PAT")!;
return new VssCredentials(new VssBasicCredential(vsoId, vsoToken));
}
var tokenObject = await new DefaultAzureCredential()
.GetTokenAsync(new TokenRequestContext(scopes: new[] { $"{AdoAppClientId}/.default" }));
await _logger.LogAsync($"Retrieved ADO API token expiring on {tokenObject.ExpiresOn}");
return new VssCredentials(new VssOAuthAccessTokenCredential(tokenObject.Token));
}
}
Try to use
GetTokenAsync(new TokenRequestContext(new[] { "499b84ac-1321-427f-aa17-267ca6975798/.default" }), CancellationToken.None);As mentioned by mbd, the scope is499b84ac-1321-427f-aa17-267ca6975798/.default/.defaultin your scripts.You can also refer to this sample code.