Closed flixman closed 2 years ago
Your calling pattern seems about right. I can't tell whether it was some configuration issues. Some reference materials for you:
@flixman - You have a python web app that needs to access the azure dev ops API. You have deployed this app on azure app service and are currently using the built in authentication feature of App Service aka EasyAuth. The value of the access token generated from EasyAuth is actually an "authentication code" and when the resource is set, the EasyAuth module exchanges this “authentication code” at the /token endpoint of the Azure Active Directory, to get an access token. We ran couple of tests at your end and figured out that the scope - user_impersonation was not set at the resource level.
Work Around - To achieve this we need to set the resource using the Azure Resource Explorer.
Recommendation - we highly recommend you to use MSAL python in your application code so that the authentication can be handled at the application level This Web application will use MSAL for Python to sign-in a user and obtains an Access Token for API ( Azure dev ops in your case ) from Azure AD. The Access Token will prove that the user is authorized to access the API endpoint as defined in the scope. .You can refer to the below sample for reference GitHub - Azure-Samples/ms-identity-python-flask-webapp-call-graph: Python Flask web application that leverages MSAL Python to get an access token to call MS Graph API Please let us know in case you have any further questions or queries and we will be happy to answer.
Describe the bug I have an azure app, having granted the 'impersonate_user' permission, that needs to be able to perform calls to azure devops on behalf of the user. Instead of getting a token allowing me to do so, I get an error. Am I missing a permission on the app, am I doing something wrong, or this is a bug?
To Reproduce Just use the following snippet with the correspondent access token, client_id, client_secret and tenant parameters.
Expected behavior A token in that I can use to authenticate to azure devops.
What you see instead The error _invalidgrant and the description"ADSTS50013: Assertion failed signature validation. [Reason - The provided signature value did not match the expected signature value., Thumbprint of key used by client: '8D2D57A353960E3FF9DAF6F018D82F40ED95CCC7', Found key 'Start=01/30/2022 23:06:14, End=01/30/2027 23:06:14']."
The MSAL Python version you are using 1.17.0