search

MethodsAndPractices / vsteam

PowerShell module for accessing Azure DevOps Services and Azure DevOps Server (formerly VSTS or TFS)
https://methodsandpractices.github.io/vsteam-docs/
MIT License
447 stars 155 forks source link

Latest DevOps fails to authenticate with Basic PAT base64 encoded #569

Closed saioia-msu closed 2 months ago

saioia-msu commented 4 months ago

Steps to reproduce

If you provide a PAT that is already ready to use with the ADO API, with the colon-delimited prefix and base64 encoded again, the module will still re-encode it with a colon and empty prefix. This leads to weird errors and the module acting unpredictably. For example, this does not work:

Set-VSTeamAccount -Account $organization -PersonalAccessToken $pat
Set-VSTeamAPIVersion -Service Core 7.0
Get-VSTeamProject -Verbose

The issue can be worked around by converting it back yourself after providing it to Set-VSTeamAccount, or supplying the correct value directly:

$env:TEAM_PAT = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($env:TEAM_PAT)).TrimStart(':')
# or
$env:TEAM_PAT = "abcd1234"

Expected behavior

VERBOSE: Calling: https://dev.azure.com/org/_apis/projects?api-version=7.0&stateFilter=WellFormed
VERBOSE: Team Module/7.15.2 (Windows) PowerShell/7.4.2
VERBOSE: Requested HTTP/1.1 GET with 0-byte payload
VERBOSE: Received HTTP/1.1 response of content type application/json of unknown size
VERBOSE: Content encoding: utf-8
VERBOSE: return type: PSCustomObject
VERBOSE: @{count=1; value=System.Object[]}

Name                  Description
----                  -----------
MyProject

Actual behavior?

VERBOSE: Calling: https://dev.azure.com/org/_apis/projects?api-version=7.0&stateFilter=WellFormed
VERBOSE: Team Module/7.15.2 (Windows) PowerShell/7.4.2
VERBOSE: Requested HTTP/1.1 GET with 0-byte payload
VERBOSE: Received HTTP/1.1 15674-byte response of content type text/html
VERBOSE: Content encoding: utf-8
VERBOSE: return type: string
VERBOSE: 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US">
<head><title>Azure DevOps Services | Sign In</title>
...

On Which OS have you tried it?

Windows

What was your server version?

Azure DevOps Services

Other server version

No response

Log output of used API

Billing                     : 5.1-preview.1
Build                       : 7.0
Core                        : 7.0
DistributedTask             : 6.0-preview
DistributedTaskReleased     : 5.1
ExtensionsManagement        : 6.0-preview
Git                         : 5.1
Graph                       : 6.0-preview
HierarchyQuery              : 5.1-preview
MemberEntitlementManagement : 6.0-preview
Packaging                   : 6.0-preview
Pipelines                   : 5.1-preview
Policy                      : 5.1
Processes                   : 6.0-preview
Release                     : 5.1
ServiceEndpoints            : 5.0-preview
TaskGroups                  : 6.0-preview
Tfvc                        : 5.1
VariableGroups              : 5.1-preview.1
Version                     : AzD
Wiki                        : 6.0
WorkItemTracking            : 6.0-preview.1

Log output of $PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.4.2
PSEdition                      Core
GitCommitId                    7.4.2
OS                             Microsoft Windows 10.0.22631
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0
mnieto commented 4 months ago

Hi At least in ADO (I did not test on TFS) the PAT is provided directly, without encoding. I just tested 2 minutes ago just in case. So the Set-VSTeamAccount cmdlet will expect you provide the PAT without encoding, that is, you just need to copy/paste from ADO to the console

saioia-msu commented 3 months ago

I'm sorry, you're correct. I was getting the key from an internal API, not from the ADO UI. There it is provided as you described. I am new to ADO so I was not aware that was how it was normally delivered.

Still, it would be best to check to see if the PAT is already encoded and if so, to not re-encode it. Though I suppose such a situation would not be very common.

sreich commented 2 months ago

I'm just strolling by here but thanks for this as this is the very first question/issue I ran into.

For me, I didn't realize "account" is actually org. I was using my own AD account in a corp environment and getting 404

I think the docs could use improvement in this area. Especially since the "getting started" page really just points to a dead space where documentation might eventually be 😝