External Git Auth to Azure Devops

waza-ari commented 4 months ago

Dear team,

we're trying to connect Coder to Azure DevOps and have created an application created using this link. We've selected vso.code_write as scope, as we were feeling this is enough.

Coder is configured as follows:

          {
            name: 'CODER_EXTERNAL_AUTH_0_ID',
            value: 'azure-devops',
          },
          {
            name: 'CODER_EXTERNAL_AUTH_0_TYPE',
            value: 'azure-devops',
          },
          {
            name: 'CODER_EXTERNAL_AUTH_0_CLIENT_ID',
            value: '9F18FE9D-xxxx-xxxx-xxxx-99568C44AC66',
          },
          {
            name: 'CODER_EXTERNAL_AUTH_0_CLIENT_SECRET',
            valueFrom: {
              secretKeyRef: {
                name: secretname,
                key: 'devops_oidc_secret',
              },
            },
          },
          {
            name: 'CODER_EXTERNAL_AUTH_0_AUTH_URL',
            value: 'https://app.vssps.visualstudio.com/oauth2/authorize',
          },
          {
            name: 'CODER_EXTERNAL_AUTH_0_TOKEN_URL',
            value: 'https://app.vssps.visualstudio.com/oauth2/token',
          },
          {
            name: 'CODER_EXTERNAL_AUTH_0_SCOPES',
            value: 'vso.code_write',
          },

It's a helm chart and the OIDC secret is read from a secret, but in the end the values will be there. When trying to authenticate, we're getting an error saying "Encountered error in oidc process: InvalidScope", unfortunately not containing any more information. My questions:

What is the minimum scope required on the DevOps side?
Microsoft is deprecating OAuth 2.0 applications on Devops, transitioning to ~Azure AD~ Entra ID App Registrations. Anyone successfully tested this with Entra ID?

Thanks in advance

matifali commented 4 months ago

cc: @ericpaulsen

wf1-brandon-grant commented 3 months ago

Hi, I have got this working recently using vso.code_manage and it uses Entra ID

waza-ari commented 3 months ago

Hi @wf1-brandon-grant would you be willing to share your config with me? I've created an Entra ID App Registration, assigned the vso.code_manage scope (no admin consent though, shouldn't be needed imho) and changed the config to:


          {
            name: 'CODER_EXTERNAL_AUTH_0_ID',
            value: 'azure-devops',
          },
          {
            name: 'CODER_EXTERNAL_AUTH_0_TYPE',
            value: 'azure-devops',
          },
          {
            name: 'CODER_EXTERNAL_AUTH_0_CLIENT_ID',
            value: '792932da-xxxx-xxxx-xxxx-12f7eff6f660',
          },
          {
            name: 'CODER_EXTERNAL_AUTH_0_CLIENT_SECRET',
            valueFrom: {
              secretKeyRef: {
                name: secretname,
                key: 'devops_oidc_secret',
              },
            },
          },
          {
            name: 'CODER_EXTERNAL_AUTH_0_AUTH_URL',
            value: 'https://login.microsoftonline.com/<our-tenant>/oauth2/v2.0/authorize',
          },
          {
            name: 'CODER_EXTERNAL_AUTH_0_TOKEN_URL',
            value: 'https://login.microsoftonline.com/<our-tenant>/oauth2/v2.0/token',
          },
          {
            name: 'CODER_EXTERNAL_AUTH_0_SCOPES',
            value: 'vso.code_manage',
          },

When trying to authenticate with DevOps during workspace creation, I'm getting this error:

{"message":"Encountered error in oidc process: unsupported_response_type","detail":"AADSTS70005: 'The application requested an unsupported response type '' when requesting a token. Trace ID: 187643bb-xxxx-xxxx-xxxx-aef43fc24e00 Correlation ID: 5c62cbfe-xxxx-xxxx-xxxx-15b054dae3ee Timestamp: 2024-03-05 16:45:10Z, error_uri: https://login.microsoftonline.com/error?code=70005"}

wf1-brandon-grant commented 3 months ago

Hey @waza-ari, sure not a problem.

I followed the guidance from this Microsoft document and created an app at the register URL

Then using these environment variables (remember to ensure that the CODER_ACCESS_URL matches that of the callback URL in the registration):

- name: CODER_EXTERNAL_AUTH_0_ID
   value: "primary-devops"
- name: CODER_EXTERNAL_AUTH_0_TYPE
   value: "azure-devops"
- name: CODER_EXTERNAL_AUTH_0_CLIENT_ID
   valueFrom:
      secretKeyRef:
         name: azure-devops-oauth
         key: client_id
- name: CODER_EXTERNAL_AUTH_0_CLIENT_SECRET
   valueFrom:
      secretKeyRef:
         name: azure-devops-oauth
         key: client_secret
- name: CODER_EXTERNAL_AUTH_0_AUTH_URL
   value: "https://app.vssps.visualstudio.com/oauth2/authorize"
- name: CODER_EXTERNAL_AUTH_0_TOKEN_URL
   value: "https://app.vssps.visualstudio.com/oauth2/token"
- name: CODER_EXTERNAL_AUTH_0_SCOPES
   value: "vso.code_manage"

waza-ari commented 3 months ago

Thanks! Still no luck on my end though. I've tried your setup and I've tried the newly documented Entra ID authentication, however when requiring the user to login during workspace, I'm getting this error message. I've not tried cloning within a workspace, as I want the users to connect to Devops once before creating the workspace.

{"message":"Internal error exchanging Oauth code.","detail":"Post \"\": unsupported protocol scheme \"\""}

The environment variables looks like this:

        - name: CODER_EXTERNAL_AUTH_0_ID
          value: azure-devops
        - name: CODER_EXTERNAL_AUTH_0_TYPE
          value: azure-devops-entra
        - name: CODER_EXTERNAL_AUTH_0_CLIENT_ID
          value: 792932da-xxxx-xxxx-xxxx-12f7eff6f660
        - name: CODER_EXTERNAL_AUTH_0_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              key: devops_oidc_secret
              name: my-secret
        - name: CODER_EXTERNAL_AUTH_0_AUTH_URL
          value: >-
            https://login.microsoftonline.com/57952406-xxxx-xxxx-xxxx-a4e06f57476d/oauth2/authorize

Then the workspace definition is:

data "coder_external_auth" "devops" {
  # Matches the ID of the external auth provider in Coder.
  id = "azure-devops"
}

// ...

resource "coder_agent" "main" {
  env = {
    GITHUB_TOKEN : data.coder_external_auth.devops.access_token
  }

In Entra ID, we've simply created an App Registration, have assigned the vso.code_write scope as defined in the docs:

Then we configured the redirect URL (configured to be https://coder.my-url.com/external-auth/azure-devops/callback) and have enabled the implicit flow.

Coder pod logs are showing:

2024-03-12 08:53:16.518 [warn]  coderd: requester is not authorized to access the object  internal_error=<nil>  request_id=f7409f1d-xxxx-xxxx-xxxx-4f6ae68905e0  roles="[member organization-member:8fedcd6d-xxxx-xxxx-xxxx-6e9daaf0fe70]"  actor_id=8a04326e-xxxx-xxxx-xxxx-4cb5b86cfc46  actor_name=my_name  scope=all  route=/api/v2/deployment/stats  action=read  object={"id":"","owner":"","org_owner":"","type":"deployment_stats","acl_user_list":null,"acl_group_list":null}

2024-03-12 08:53:18.208 [warn]  coderd: GET  host=coder.my-url.com  path=/external-auth/azure-devops/callback  proto=HTTP/1.1  remote_addr=xxx.xxx.xxx.xxx  start="2024-03-12T08:53:18.206321966Z"  took=2.118183ms  status_code=500  latency_ms=2  response_body="{\"message\":\"Internal error exchanging Oauth code.\",\"detail\":\"Post \\\"\\\": unsupported protocol scheme \\\"\\\"\"}\n"  request_id=b1c03af8-0cf6-492c-a611-ec72d2de18d2

deansheather commented 3 months ago

When you updated your environment variables you forgot to add back CODER_EXTERNAL_AUTH_0_TOKEN_URL

waza-ari commented 3 months ago

@deansheather I followed these guides which do not include the TOKEN_URL. I can try adding it

Update: You're right, adding the token endpoint works, now I can successfully authenticate 🎉

Update 2: There's more issues though. I needed to add another variable containing the regex, as otherwise the configured provider didn't match:

        - name: CODER_EXTERNAL_AUTH_0_REGEX
          value: dev.azure.com

Now, when I try to clone something, I'm getting:

Cloning into 'my-repo'...
fatal: Authentication failed for 'https://dev.azure.com/org/project/_git/my-repo/'

waza-ari commented 3 months ago

I've tried to revert to ASKPASS behaviour as described in #12291, but it doesn't change anything sadly.

coder@coder-xxx-test-857886fc98-r5rxm:~$ cat .gitconfig 
[credential]
        useHttpPath = true

AT is returned, even though I'm confused that username contains a token as well:

$ curl "${CODER_AGENT_URL}"'api/v2/workspaceagents/me/external-auth?url=https://dev.azure.com/' -H "Coder-Session-Token: ${CODER_AGENT_TOKEN}"

{"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlhSdmtvOFA3QTNVYVdTblU3Yk05blQwTWpoQSIsImtpZCI6IlhSdmtvOFA3QTNVYVdTblU3Yk05blQwTWpoQSJ9.xxx-K5GKaE8z-xxx","token_extra":null,"url":"","type":"azure-devops-entra","username":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlhSdmtvOFA3QTNVYVdTblU3Yk05blQwTWpoQSIsImtpZCI6IlhSdmtvOFA3QTNVYVdTblU3Yk05blQwTWpoQSJ9.xxx-K5GKaE8z-xxx","password":""}

The entire git log:

$ GIT_CURL_VERBOSE=1 GIT_TRACE=1 git clone https://dev.azure.com/my-org/my-project/_git/my-repo

12:43:27.327726 git.c:463               trace: built-in: git clone https://dev.azure.com/my-org/my-project/_git/my-repo
Cloning into 'my-repo'...
12:43:27.338288 run-command.c:657       trace: run_command: git remote-https origin https://dev.azure.com/my-org/my-project/_git/my-repo
12:43:27.339613 git.c:749               trace: exec: git-remote-https origin https://dev.azure.com/my-org/my-project/_git/my-repo
12:43:27.339642 run-command.c:657       trace: run_command: git-remote-https origin https://dev.azure.com/my-org/my-project/_git/my-repo
12:43:27.343199 http.c:843              == Info: Couldn't find host dev.azure.com in the (nil) file; using defaults
12:43:27.490868 http.c:843              == Info:   Trying 13.107.42.20:443...
12:43:27.494776 http.c:843              == Info: Connected to dev.azure.com (13.107.42.20) port 443 (#0)
12:43:27.534562 http.c:843              == Info: found 411 certificates in /etc/ssl/certs
12:43:27.534645 http.c:843              == Info: GnuTLS ciphers: NORMAL:-ARCFOUR-128:-CTYPE-ALL:+CTYPE-X509:-VERS-SSL3.0
12:43:27.534672 http.c:843              == Info: ALPN, offering h2
12:43:27.534678 http.c:843              == Info: ALPN, offering http/1.1
12:43:27.546386 http.c:843              == Info: SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
12:43:27.548677 http.c:843              == Info:   server certificate verification OK
12:43:27.548691 http.c:843              == Info:   server certificate status verification SKIPPED
12:43:27.548815 http.c:843              == Info:   common name: dev.azure.com (matched)
12:43:27.548824 http.c:843              == Info:   server certificate expiration date OK
12:43:27.548828 http.c:843              == Info:   server certificate activation date OK
12:43:27.548836 http.c:843              == Info:   certificate public key: RSA
12:43:27.548848 http.c:843              == Info:   certificate version: #3
12:43:27.548880 http.c:843              == Info:   subject: C=US,ST=WA,L=Redmond,O=Microsoft Corporation,CN=dev.azure.com
12:43:27.548893 http.c:843              == Info:   start date: Sat, 30 Dec 2023 01:04:01 GMT
12:43:27.548903 http.c:843              == Info:   expire date: Thu, 27 Jun 2024 01:04:01 GMT
12:43:27.548923 http.c:843              == Info:   issuer: C=US,O=Microsoft Corporation,CN=Microsoft Azure RSA TLS Issuing CA 04
12:43:27.548939 http.c:843              == Info: ALPN, server accepted to use h2
12:43:27.548984 http.c:843              == Info: Using HTTP2, server supports multiplexing
12:43:27.548992 http.c:843              == Info: Connection state changed (HTTP/2 confirmed)
12:43:27.548998 http.c:843              == Info: Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
12:43:27.549074 http.c:843              == Info: Using Stream ID: 1 (easy handle 0x55f7d6822ac0)
12:43:27.549110 http.c:790              => Send header, 0000000274 bytes (0x00000112)
12:43:27.549120 http.c:802              => Send header: GET /my-org/my-project/_git/my-repo/info/refs?service=git-upload-pack HTTP/2
12:43:27.549125 http.c:802              => Send header: Host: dev.azure.com
12:43:27.549128 http.c:802              => Send header: user-agent: git/2.43.2
12:43:27.549130 http.c:802              => Send header: accept: */*
12:43:27.549134 http.c:802              => Send header: accept-encoding: deflate, gzip, br, zstd
12:43:27.549136 http.c:802              => Send header: accept-language: C, *;q=0.9
12:43:27.549138 http.c:802              => Send header: pragma: no-cache
12:43:27.549141 http.c:802              => Send header: git-protocol: version=2
12:43:27.549143 http.c:802              => Send header:
12:43:27.608140 http.c:790              <= Recv header, 0000000013 bytes (0x0000000d)
12:43:27.608160 http.c:802              <= Recv header: HTTP/2 401
12:43:27.608171 http.c:790              <= Recv header, 0000000024 bytes (0x00000018)
12:43:27.608173 http.c:802              <= Recv header: cache-control: private
12:43:27.608177 http.c:790              <= Recv header, 0000000023 bytes (0x00000017)
12:43:27.608188 http.c:802              <= Recv header: content-length: 89619
12:43:27.608198 http.c:790              <= Recv header, 0000000025 bytes (0x00000019)
12:43:27.608204 http.c:802              <= Recv header: content-type: text/html
12:43:27.608211 http.c:790              <= Recv header, 0000000124 bytes (0x0000007c)
12:43:27.608229 http.c:802              <= Recv header: p3p: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
12:43:27.608237 http.c:790              <= Recv header, 0000000115 bytes (0x00000073)
12:43:27.608241 http.c:802              <= Recv header: www-authenticate: Bearer authorization_uri=https://login.microsoftonline.com/57952406-xxxx-xxxx-xxxx-a4e06f57476d
12:43:27.608250 http.c:790              <= Recv header, 0000000071 bytes (0x00000047)
12:43:27.608256 http.c:802              <= Recv header: www-authenticate: Basic realm="https://tfsprodneu2.visualstudio.com/"
12:43:27.608260 http.c:790              <= Recv header, 0000000033 bytes (0x00000021)
12:43:27.608271 http.c:802              <= Recv header: www-authenticate: TFS-Federated
12:43:27.608283 http.c:790              <= Recv header, 0000000055 bytes (0x00000037)
12:43:27.608291 http.c:802              <= Recv header: x-tfs-processid: 671b689c-275f-4d3d-b392-0c03c739cebb
12:43:27.608297 http.c:790              <= Recv header, 0000000064 bytes (0x00000040)
12:43:27.608303 http.c:802              <= Recv header: strict-transport-security: max-age=31536000; includeSubDomains
12:43:27.608311 http.c:790              <= Recv header, 0000000050 bytes (0x00000032)
12:43:27.608321 http.c:802              <= Recv header: activityid: 48d864a0-c2df-4c73-8e66-86eed3ba86de
12:43:27.608328 http.c:790              <= Recv header, 0000000053 bytes (0x00000035)
12:43:27.608333 http.c:802              <= Recv header: x-tfs-session: 48d864a0-c2df-4c73-8e66-86eed3ba86de
12:43:27.608339 http.c:790              <= Recv header, 0000000051 bytes (0x00000033)
12:43:27.608345 http.c:802              <= Recv header: x-vss-e2eid: 48d864a0-c2df-4c73-8e66-86eed3ba86de
12:43:27.608352 http.c:790              <= Recv header, 0000000064 bytes (0x00000040)
12:43:27.608355 http.c:802              <= Recv header: x-vss-senderdeploymentid: a6c8fbe9-7425-4392-883d-c602e2e7f7eb
12:43:27.608362 http.c:790              <= Recv header, 0000000029 bytes (0x0000001d)
12:43:27.608365 http.c:802              <= Recv header: x-frame-options: SAMEORIGIN
12:43:27.608372 http.c:790              <= Recv header, 0000000059 bytes (0x0000003b)
12:43:27.608379 http.c:802              <= Recv header: x-tfs-fedauthrealm: https://tfsprodneu2.visualstudio.com/
12:43:27.608382 http.c:790              <= Recv header, 0000000057 bytes (0x00000039)
12:43:27.608389 http.c:802              <= Recv header: x-tfs-fedauthissuer: https://dev.azure.com/my-org/
12:43:27.608392 http.c:790              <= Recv header, 0000000071 bytes (0x00000047)
12:43:27.608397 http.c:802              <= Recv header: x-vss-authorizationendpoint: https://vssps.dev.azure.com/my-org/
12:43:27.608400 http.c:790              <= Recv header, 0000000060 bytes (0x0000003c)
12:43:27.608403 http.c:802              <= Recv header: x-vss-resourcetenant: 57952406-xxxx-xxxx-xxxx-a4e06f57476d
12:43:27.608412 http.c:790              <= Recv header, 0000000710 bytes (0x000002c6)
12:43:27.608419 http.c:802              <= Recv header: x-tfs-soapexception: %3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22utf-8%22%3F%3E%3Csoap%3AEnvelope%20xmlns%3Asoap%3D%22http%3A%2F%2Fwww.w3.org%2F2003%2F05%2Fsoap-envelope%22%3E%3Csoap%3ABody%3E%3Csoap%3AFault%3E%3Csoap%3ACode%3E%3Csoap%3AValue%3Esoap%3AReceiver%3C%2Fsoap%3AValue%3E%3Csoap%3ASubcode%3E%3Csoap%3AValue%3EUnauthorizedRequestException%3C%2Fsoap%3AValue%3E%3C%2Fsoap%3ASubcode%3E%3C%2Fsoap%3ACode%3E%3Csoap%3AReason%3E%3Csoap%3AText%20xml%3Alang%3D%22en%22%3ETF400813%3A%20The%20user%20%27aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa%27%20is%20not%20authorized%20to%20access%20this%20resource.%3C%2Fsoap%3AText%3E%3C%2Fsoap%3AReason%3E%3C%2Fsoap%3AFault%3E%3C%2Fsoap%3ABody%3E%3C%2Fsoap%3AEnvelope%3E
12:43:27.608430 http.c:790              <= Recv header, 0000000148 bytes (0x00000094)
12:43:27.608437 http.c:802              <= Recv header: x-tfs-serviceerror: TF400813%3A%20The%20user%20%27aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa%27%20is%20not%20authorized%20to%20access%20this%20resource.
12:43:27.608441 http.c:790              <= Recv header, 0000000079 bytes (0x0000004f)
12:43:27.608446 http.c:802              <= Recv header: x-vss-s2stargetservice: 00000002-0000-8888-8000-000000000000/visualstudio.com
12:43:27.608450 http.c:790              <= Recv header, 0000000557 bytes (0x0000022d)
12:43:27.608456 http.c:802              <= Recv header: x-tfs-fedauthredirect: https://spsprodneu1.vssps.visualstudio.com/_signin?realm=dev.azure.com&reply_to=https%3A%2F%2Fdev.azure.com%2Fmy-org%2Fmy-project%2F_git%2Fmy-repo%2Finfo%2Frefs%3Fservice%3Dgit-upload-pack&redirect=1&hid=7b32b422-6b88-4750-bdfe-9adf36851a1d&context=eyJodCI6MiwiaGlkIjoiNGRkNDY1NWQtMWIzOC00MDc1LTkxZWUtZmQyNTc0YzllZDZhIiwicXMiOnt9LCJyciI6IiIsInZoIjoiIiwiY3YiOiIiLCJjcyI6IiJ90#ctx=eyJTaWduSW5Db29raWVEb21haW5zIjpbImh0dHBzOi8vbG9naW4ubWljcm9zb2Z0b25saW5lLmNvbSIsImh0dHBzOi8vbG9naW4ubWljcm9zb2Z0b25saW5lLmNvbSJdfQ2
12:43:27.608465 http.c:790              <= Recv header, 0000000068 bytes (0x00000044)
12:43:27.608467 http.c:802              <= Recv header: request-context: appId=cid-v1:e6292eea-fb85-4107-bc0a-339fd28d3647
12:43:27.608472 http.c:790              <= Recv header, 0000000048 bytes (0x00000030)
12:43:27.608477 http.c:802              <= Recv header: access-control-expose-headers: Request-Context
12:43:27.608484 http.c:790              <= Recv header, 0000000033 bytes (0x00000021)
12:43:27.608489 http.c:802              <= Recv header: x-content-type-options: nosniff
12:43:27.608492 http.c:790              <= Recv header, 0000000025 bytes (0x00000019)
12:43:27.608496 http.c:802              <= Recv header: x-cache: CONFIG_NOCACHE
12:43:27.608499 http.c:790              <= Recv header, 0000000104 bytes (0x00000068)
12:43:27.608501 http.c:802              <= Recv header: x-msedge-ref: Ref A: 0D3717FC6BBC49B6BB323DCFDCC86A87 Ref B: DUS30EDGE0909 Ref C: 2024-03-12T12:43:27Z
12:43:27.608508 http.c:790              <= Recv header, 0000000037 bytes (0x00000025)
12:43:27.608511 http.c:802              <= Recv header: date: Tue, 12 Mar 2024 12:43:27 GMT
12:43:27.608517 http.c:790              <= Recv header, 0000000002 bytes (0x00000002)
12:43:27.608520 http.c:802              <= Recv header:
12:43:27.626089 http.c:843              == Info: Connection #0 to host dev.azure.com left intact
12:43:27.626149 run-command.c:657       trace: run_command: /tmp/coder.ZOQSXM/coder 'Username for '\''https://dev.azure.com/my-org/my-project/_git/my-repo'\'': '
12:43:27.732550 run-command.c:657       trace: run_command: /tmp/coder.ZOQSXM/coder 'Password for '\''https://eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlhSdmtvOFA3QTNVYVdTblU3Yk05blQwTWpoQSIsImtpZCI6IlhSdmtvOFA3QTNVYVdTblU3Yk05blQwTWpoQSJ9.xxx-xxx-xxx@dev.azure.com/my-org/my-project/_git/my-repo'\'': '
12:43:27.810507 http.c:843              == Info: Found bundle for host dev.azure.com: 0x55f7d6828ba0 [can multiplex]
12:43:27.810562 http.c:843              == Info: Re-using existing connection! (#0) with host dev.azure.com
12:43:27.810574 http.c:843              == Info: Connected to dev.azure.com (13.107.42.20) port 443 (#0)
12:43:27.810611 http.c:843              == Info: Using Stream ID: 3 (easy handle 0x55f7d6822ac0)
12:43:27.810677 http.c:790              => Send header, 0000000274 bytes (0x00000112)
12:43:27.810691 http.c:802              => Send header: GET /my-org/my-project/_git/my-repo/info/refs?service=git-upload-pack HTTP/2
12:43:27.810700 http.c:802              => Send header: Host: dev.azure.com
12:43:27.810705 http.c:802              => Send header: user-agent: git/2.43.2
12:43:27.810715 http.c:802              => Send header: accept: */*
12:43:27.810725 http.c:802              => Send header: accept-encoding: deflate, gzip, br, zstd
12:43:27.810732 http.c:802              => Send header: accept-language: C, *;q=0.9
12:43:27.810738 http.c:802              => Send header: pragma: no-cache
12:43:27.810746 http.c:802              => Send header: git-protocol: version=2
12:43:27.810749 http.c:802              => Send header:
12:43:27.839659 http.c:790              <= Recv header, 0000000013 bytes (0x0000000d)
12:43:27.839676 http.c:802              <= Recv header: HTTP/2 401
12:43:27.839690 http.c:790              <= Recv header, 0000000024 bytes (0x00000018)
12:43:27.839698 http.c:802              <= Recv header: cache-control: private
12:43:27.839703 http.c:790              <= Recv header, 0000000023 bytes (0x00000017)
12:43:27.839706 http.c:802              <= Recv header: content-length: 89619
12:43:27.839710 http.c:790              <= Recv header, 0000000025 bytes (0x00000019)
12:43:27.839714 http.c:802              <= Recv header: content-type: text/html
12:43:27.839717 http.c:790              <= Recv header, 0000000124 bytes (0x0000007c)
12:43:27.839721 http.c:802              <= Recv header: p3p: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
12:43:27.839727 http.c:790              <= Recv header, 0000000115 bytes (0x00000073)
12:43:27.839733 http.c:802              <= Recv header: www-authenticate: Bearer authorization_uri=https://login.microsoftonline.com/57952406-xxxx-xxxx-xxxx-a4e06f57476d
12:43:27.839745 http.c:790              <= Recv header, 0000000071 bytes (0x00000047)
12:43:27.839753 http.c:802              <= Recv header: www-authenticate: Basic realm="https://tfsprodneu2.visualstudio.com/"
12:43:27.839762 http.c:790              <= Recv header, 0000000033 bytes (0x00000021)
12:43:27.839774 http.c:802              <= Recv header: www-authenticate: TFS-Federated
12:43:27.839782 http.c:790              <= Recv header, 0000000055 bytes (0x00000037)
12:43:27.839790 http.c:802              <= Recv header: x-tfs-processid: 671b689c-275f-4d3d-b392-0c03c739cebb
12:43:27.839794 http.c:790              <= Recv header, 0000000064 bytes (0x00000040)
12:43:27.839801 http.c:802              <= Recv header: strict-transport-security: max-age=31536000; includeSubDomains
12:43:27.839808 http.c:790              <= Recv header, 0000000050 bytes (0x00000032)
12:43:27.839821 http.c:802              <= Recv header: activityid: 48d864be-c2df-4c73-8e66-86eed3ba86de
12:43:27.839829 http.c:790              <= Recv header, 0000000053 bytes (0x00000035)
12:43:27.839832 http.c:802              <= Recv header: x-tfs-session: 48d864be-c2df-4c73-8e66-86eed3ba86de
12:43:27.839839 http.c:790              <= Recv header, 0000000051 bytes (0x00000033)
12:43:27.839842 http.c:802              <= Recv header: x-vss-e2eid: 48d864be-c2df-4c73-8e66-86eed3ba86de
12:43:27.839848 http.c:790              <= Recv header, 0000000064 bytes (0x00000040)
12:43:27.839853 http.c:802              <= Recv header: x-vss-senderdeploymentid: a6c8fbe9-7425-4392-883d-c602e2e7f7eb
12:43:27.839860 http.c:790              <= Recv header, 0000000029 bytes (0x0000001d)
12:43:27.839866 http.c:802              <= Recv header: x-frame-options: SAMEORIGIN
12:43:27.839870 http.c:790              <= Recv header, 0000000059 bytes (0x0000003b)
12:43:27.839874 http.c:802              <= Recv header: x-tfs-fedauthrealm: https://tfsprodneu2.visualstudio.com/
12:43:27.839878 http.c:790              <= Recv header, 0000000057 bytes (0x00000039)
12:43:27.839881 http.c:802              <= Recv header: x-tfs-fedauthissuer: https://dev.azure.com/my-org/
12:43:27.839883 http.c:790              <= Recv header, 0000000071 bytes (0x00000047)
12:43:27.839887 http.c:802              <= Recv header: x-vss-authorizationendpoint: https://vssps.dev.azure.com/my-org/
12:43:27.839889 http.c:790              <= Recv header, 0000000060 bytes (0x0000003c)
12:43:27.839890 http.c:802              <= Recv header: x-vss-resourcetenant: 57952406-xxxx-xxxx-xxxx-a4e06f57476d
12:43:27.839892 http.c:790              <= Recv header, 0000000710 bytes (0x000002c6)
12:43:27.839894 http.c:802              <= Recv header: x-tfs-soapexception: %3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22utf-8%22%3F%3E%3Csoap%3AEnvelope%20xmlns%3Asoap%3D%22http%3A%2F%2Fwww.w3.org%2F2003%2F05%2Fsoap-envelope%22%3E%3Csoap%3ABody%3E%3Csoap%3AFault%3E%3Csoap%3ACode%3E%3Csoap%3AValue%3Esoap%3AReceiver%3C%2Fsoap%3AValue%3E%3Csoap%3ASubcode%3E%3Csoap%3AValue%3EUnauthorizedRequestException%3C%2Fsoap%3AValue%3E%3C%2Fsoap%3ASubcode%3E%3C%2Fsoap%3ACode%3E%3Csoap%3AReason%3E%3Csoap%3AText%20xml%3Alang%3D%22en%22%3ETF400813%3A%20The%20user%20%27aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa%27%20is%20not%20authorized%20to%20access%20this%20resource.%3C%2Fsoap%3AText%3E%3C%2Fsoap%3AReason%3E%3C%2Fsoap%3AFault%3E%3C%2Fsoap%3ABody%3E%3C%2Fsoap%3AEnvelope%3E
12:43:27.839899 http.c:790              <= Recv header, 0000000148 bytes (0x00000094)
12:43:27.839901 http.c:802              <= Recv header: x-tfs-serviceerror: TF400813%3A%20The%20user%20%27aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa%27%20is%20not%20authorized%20to%20access%20this%20resource.
12:43:27.839903 http.c:790              <= Recv header, 0000000079 bytes (0x0000004f)
12:43:27.839905 http.c:802              <= Recv header: x-vss-s2stargetservice: 00000002-0000-8888-8000-000000000000/visualstudio.com
12:43:27.839907 http.c:790              <= Recv header, 0000000557 bytes (0x0000022d)
12:43:27.839911 http.c:802              <= Recv header: x-tfs-fedauthredirect: https://spsprodneu1.vssps.visualstudio.com/_signin?realm=dev.azure.com&reply_to=https%3A%2F%2Fdev.azure.com%2Fmy-org%2Fmy-project%2F_git%2Fmy-repo%2Finfo%2Frefs%3Fservice%3Dgit-upload-pack&redirect=1&hid=7b32b422-6b88-4750-bdfe-9adf36851a1d&context=eyJodCI6MiwiaGlkIjoiNGRkNDY1NWQtMWIzOC00MDc1LTkxZWUtZmQyNTc0YzllZDZhIiwicXMiOnt9LCJyciI6IiIsInZoIjoiIiwiY3YiOiIiLCJjcyI6IiJ90#ctx=eyJTaWduSW5Db29raWVEb21haW5zIjpbImh0dHBzOi8vbG9naW4ubWljcm9zb2Z0b25saW5lLmNvbSIsImh0dHBzOi8vbG9naW4ubWljcm9zb2Z0b25saW5lLmNvbSJdfQ2
12:43:27.839914 http.c:790              <= Recv header, 0000000068 bytes (0x00000044)
12:43:27.839916 http.c:802              <= Recv header: request-context: appId=cid-v1:e6292eea-fb85-4107-bc0a-339fd28d3647
12:43:27.839918 http.c:790              <= Recv header, 0000000048 bytes (0x00000030)
12:43:27.839920 http.c:802              <= Recv header: access-control-expose-headers: Request-Context
12:43:27.839923 http.c:790              <= Recv header, 0000000033 bytes (0x00000021)
12:43:27.839931 http.c:802              <= Recv header: x-content-type-options: nosniff
12:43:27.839937 http.c:790              <= Recv header, 0000000025 bytes (0x00000019)
12:43:27.839943 http.c:802              <= Recv header: x-cache: CONFIG_NOCACHE
12:43:27.839947 http.c:790              <= Recv header, 0000000104 bytes (0x00000068)
12:43:27.839951 http.c:802              <= Recv header: x-msedge-ref: Ref A: FC51EA6D24EC4BE28D2BCEC2D5984074 Ref B: DUS30EDGE0909 Ref C: 2024-03-12T12:43:27Z
12:43:27.839956 http.c:790              <= Recv header, 0000000037 bytes (0x00000025)
12:43:27.839964 http.c:802              <= Recv header: date: Tue, 12 Mar 2024 12:43:27 GMT
12:43:27.839978 http.c:790              <= Recv header, 0000000002 bytes (0x00000002)
12:43:27.839981 http.c:802              <= Recv header:
12:43:27.839991 http.c:843              == Info: Ignoring the response-body
12:43:27.844052 http.c:843              == Info: Connection #0 to host dev.azure.com left intact
12:43:27.844088 http.c:843              == Info: Issue another request to this URL: 'https://dev.azure.com/my-org/my-project/_git/my-repo/info/refs?service=git-upload-pack'
12:43:27.844127 http.c:843              == Info: Found bundle for host dev.azure.com: 0x55f7d6828ba0 [can multiplex]
12:43:27.844145 http.c:843              == Info: Re-using existing connection! (#0) with host dev.azure.com
12:43:27.844156 http.c:843              == Info: Connected to dev.azure.com (13.107.42.20) port 443 (#0)
12:43:27.844405 http.c:843              == Info: Server auth using Basic with user 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlhSdmtvOFA3QTNVYVdTblU3Yk05blQwTWpoQSIsImtpZCI6IlhSdmtvOFA3QTNVYVdTblU3Yk05blQwTWpoQSJ9.eyJhdWQiOiIwMDAwMDAwMi0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC81Nzk1MjQwNi1hZjI4LTQzYzgtYjRkZS1hNGUwNmY1NzQ3NmQvIiwiaWF0IjoxNzEwMjQ2MTA0LCJuYmYiOjE3MTAyNDYxMDQsImV4cCI6MTcxMDI1MDI5MiwiYWNyIjoiMSIsImFjcnMiOlsidXJuOnVzZXI6cmVnaXN0ZXJzZWN1cml0eWluZm8iXSwiYWlvIjoiQVZRQXEvOFdBQUFBNlpBVHFjZlpXZlFZd1JVa2FVNUVJYm1UaUdlbVpyQTBhYWZQTnhBZ0h3V1VxUDN0WVlVc0x4V1NsRlpXaXJKOHByU2U5ZlBWbDVZNlV6a05Pc3p6V1VBZk40WkUvRFV1SlBhU1BHRWR1ejQ9IiwiYW1yIjpbInB3ZCIsIm1mYSJdLCJhcHBpZCI6Ijc5MjkzMmRhLTdkOTItNGQwMi1iOGUyLTEyZjdlZmY2ZjY2MCIsImFwcGlkYWNyIjoiMSIsImZhbWlseV9uYW1lIjoiSGVycm1hbm4iLCJnaXZlbl9uYW1lIjoiRGFuaWVsIiwiaXBhZGRyIjoiMTQ3LjE2MS4xMzEuMTE3IiwibmFtZSI6IkhlcnJtYW5uLCBEYW5pZWwgKEhlaWRlbGJlcmcpIERFVSIsIm9pZCI6ImM0ZWU5NmFlLWM1NzktNDkyOC04NGUyLTI2YjM0YmMyOGQxNyIsIm9ucHJlbV9zaWQiOiJTLTEtNS0yMS0xMDc4MDgxNTMzLTI2MTQ3ODk2Ny04Mzk1MjIxMTUtNzcwMzE4IiwicHVpZCI6IjEwMDMzRkZGQUM4MkQ0MDIiLCJyaCI6IjAuQVM4QUJpU1ZWeWl2eUVPMDNxVGdiMWRIYlFJQUFBQUFBQUFBd0FBQUFBQUFBQUN3QU5BLiIsInNjcCI6ImVtYWlsIG9wZW5pZCBwcm9maWxlIiwic3ViIjoiQjFBaVZBUkl5S2pQNy1TS0hydkdRODBiZ24yX3JRazJFc1hlaThZcTRlUSIsInRlbmFudF9yZWdpb25fc2NvcGUiOiJFVSIsInRpZCI6IjU3OTUyNDA2LWFmMjgtNDNjOC1iNGRlLWE0ZTA2ZjU3NDc2ZCIsInVuaXF1ZV9uYW1lIjoiZGFuaWVsLmhlcnJtYW5uQGhlaWRlbGJlcmdtYXRlcmlhbHMuY29tIiwidXBuIjoiZGFuaWVsLmhlcnJtYW5uQGhlaWRlbGJlcmdtYXRlcmlhbHMuY29tIiwidXRpIjoiajAyc0hZV1JXMEdPaTg1S29WMFlBQSIsInZlciI6IjEuMCIsInhtc190ZGJyIjoiRVUifQ.Lj9bdZV6UelE1nCfG2xb0bFV2TX28ynnPJ-K5GKaE8z-nFK3GF28CGc_UdxmbDmnFc0u4IIdMyminIbhC5Usn1wtCLWa5kRNQr91uGso0004d9zJYg57ZfhNtGbnYSWxZk4Go6vDsCcavhkcVKC0Xa7dlj2nUonztjCmDhKqx9kJ0YVZswPhsVYtp4c6ifeB4wBPO7Dqt5e18fD1RF3cN1skq7te58zdO3VChkAirYLuW_Iym1tTq0ihKDALxslRcfnHGmNWKGOW7UoiMePwKkj0we3zmaOWGV4kHutVJX5SzwKDsileUjNptmZd6fTxayIN_HVIjmWs46iRRj0Bow'
12:43:27.844512 http.c:843              == Info: Using Stream ID: 5 (easy handle 0x55f7d6822ac0)
12:43:27.844590 http.c:790              => Send header, 0000005329 bytes (0x000014d1)
12:43:27.844605 http.c:802              => Send header: GET /my-org/my-project/_git/my-repo/info/refs?service=git-upload-pack HTTP/2
12:43:27.844608 http.c:802              => Send header: Host: dev.azure.com
12:43:27.844611 http.c:802              => Send header: authorization: Basic <redacted>
12:43:27.845231 http.c:802              => Send header: user-agent: git/2.43.2
12:43:27.845245 http.c:802              => Send header: accept: */*
12:43:27.845249 http.c:802              => Send header: accept-encoding: deflate, gzip, br, zstd
12:43:27.845257 http.c:802              => Send header: accept-language: C, *;q=0.9
12:43:27.845266 http.c:802              => Send header: pragma: no-cache
12:43:27.845273 http.c:802              => Send header: git-protocol: version=2
12:43:27.845279 http.c:802              => Send header:
12:43:27.875245 http.c:790              <= Recv header, 0000000013 bytes (0x0000000d)
12:43:27.875262 http.c:802              <= Recv header: HTTP/2 401
12:43:27.875268 http.c:790              <= Recv header, 0000000124 bytes (0x0000007c)
12:43:27.875274 http.c:802              <= Recv header: p3p: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
12:43:27.875282 http.c:843              == Info: Authentication problem. Ignoring this.
12:43:27.875294 http.c:790              <= Recv header, 0000000071 bytes (0x00000047)
12:43:27.875303 http.c:802              <= Recv header: www-authenticate: Basic realm="https://tfsprodneu2.visualstudio.com/"
12:43:27.875317 http.c:790              <= Recv header, 0000000055 bytes (0x00000037)
12:43:27.875324 http.c:802              <= Recv header: x-tfs-processid: a3fc537b-bf62-4f9c-9a87-54fd01e52d51
12:43:27.875327 http.c:790              <= Recv header, 0000000064 bytes (0x00000040)
12:43:27.875328 http.c:802              <= Recv header: strict-transport-security: max-age=31536000; includeSubDomains
12:43:27.875339 http.c:790              <= Recv header, 0000000050 bytes (0x00000032)
12:43:27.875350 http.c:802              <= Recv header: activityid: b124a326-f07d-42f9-95d4-e5421fc4390f
12:43:27.875355 http.c:790              <= Recv header, 0000000053 bytes (0x00000035)
12:43:27.875356 http.c:802              <= Recv header: x-tfs-session: b124a326-f07d-42f9-95d4-e5421fc4390f
12:43:27.875362 http.c:790              <= Recv header, 0000000051 bytes (0x00000033)
12:43:27.875363 http.c:802              <= Recv header: x-vss-e2eid: b124a326-f07d-42f9-95d4-e5421fc4390f
12:43:27.875371 http.c:790              <= Recv header, 0000000064 bytes (0x00000040)
12:43:27.875378 http.c:802              <= Recv header: x-vss-senderdeploymentid: a6c8fbe9-7425-4392-883d-c602e2e7f7eb
12:43:27.875406 http.c:790              <= Recv header, 0000000068 bytes (0x00000044)
12:43:27.875477 http.c:802              <= Recv header: request-context: appId=cid-v1:e6292eea-fb85-4107-bc0a-339fd28d3647
12:43:27.875500 http.c:790              <= Recv header, 0000000048 bytes (0x00000030)
12:43:27.875514 http.c:802              <= Recv header: access-control-expose-headers: Request-Context
12:43:27.875569 http.c:790              <= Recv header, 0000000033 bytes (0x00000021)
12:43:27.875582 http.c:802              <= Recv header: x-content-type-options: nosniff
12:43:27.875587 http.c:790              <= Recv header, 0000000025 bytes (0x00000019)
12:43:27.875595 http.c:802              <= Recv header: x-cache: CONFIG_NOCACHE
12:43:27.875598 http.c:790              <= Recv header, 0000000104 bytes (0x00000068)
12:43:27.875600 http.c:802              <= Recv header: x-msedge-ref: Ref A: CA60B10B2E3D46F596D798020F292A67 Ref B: DUS30EDGE0909 Ref C: 2024-03-12T12:43:27Z
12:43:27.875609 http.c:790              <= Recv header, 0000000037 bytes (0x00000025)
12:43:27.875613 http.c:802              <= Recv header: date: Tue, 12 Mar 2024 12:43:27 GMT
12:43:27.875618 http.c:790              <= Recv header, 0000000019 bytes (0x00000013)
12:43:27.875627 http.c:802              <= Recv header: content-length: 0
12:43:27.875637 http.c:790              <= Recv header, 0000000002 bytes (0x00000002)
12:43:27.875645 http.c:802              <= Recv header:
12:43:27.875664 http.c:843              == Info: Connection #0 to host dev.azure.com left intact
fatal: Authentication failed for 'https://dev.azure.com/my-org/my-project/_git/my-repo/'

waza-ari commented 3 months ago

In our environment, admin consent was required for the vso.code_write scope. I'd like to understand why though, as I thought this shouldn't be required.

bpmct commented 1 month ago

Hi @waza-ari are you still seeing issues on the Coder end, or is the question around how Azure Devops handles scopes?

coder / coder

External Git Auth to Azure Devops #12351