search

jfrog / jfrog-azure-devops-extension

Apache License 2.0
48 stars 66 forks source link

Unable to use Reference Token with Azure DevOps Service Connection even though the connection Validates using a Reference Token #509

Open fourpastmidnight opened 1 month ago

fourpastmidnight commented 1 month ago

Describe the bug

[!IMPORTANT] Please see my comment below. I'm leaving the original issue as stated for broader context purposes, but the issue is not what it at first seemed. What follows below is the original issue, but please see my comment for the real issue at hand.

I have an Azure DevOps Server ServiceConnection to Artifactory which is using token-based authentication for the connection.

However, when using the JfrogDotNetCore@1 task in an Azure DevOps YAML pipeline with the following configuration:

- task: JFrogDotNetCore@1
  displayName: Restore NuGet Packages
  inputs:
    command: restore
    artifactoryConnection: ${{ parameters.artifactoryConnection }}
    targetResolveRepo: ${{ parameters.artifactoryRepository }}
    rootPath: ${{ parameters.solutionOrProjectPathGlob }}
    collectBuildInfo: ${{ parameters.collectBuildInfo }}
    ${{ if eq(parameters.collectBuildInfo, true) }}:
      buildName: '$(Build.DefinitionName)'
      buildNumber: '$(Build.BuildNumber)'

running the build results in the following error output:

D:\Agent04\_work\_tool\dotnet\sdk\9.0.100-rc.1.24452.12\NuGet.targets(751,5): error : Value cannot be null or empty string. (Parameter 'username') [D:\Agent04\_work\111\s\src\MyProject\MyProject.csproj]
16:21:50 [Error] exit status 1
##[error]Error: Command failed: D:\Agent04\_work\_tool\jf\2.53.1\x64\jf.exe dotnet restore --build-name="my-project" --build-number="v8.0.0-ci.4.24290.73267.6360"

If I'm using a ServiceConnection, then I should not need to provide a username input to the task.

Current behavior

If you don't specify a username input to the JfrogDotNetCore@1 task in a YAML pipeline even though you are using a ServiceConnection, the task ends in an error.

Reproduction steps

Run a build pipeline with a valid task configured as shown below:

- task: JFrogDotNetCore@1
  displayName: Restore NuGet Packages
  inputs:
    command: restore
    artifactoryConnection: ${{ parameters.artifactoryConnection }}
    targetResolveRepo: ${{ parameters.artifactoryRepository }}
    rootPath: ${{ parameters.solutionOrProjectPathGlob }}
    collectBuildInfo: ${{ parameters.collectBuildInfo }}
    ${{ if eq(parameters.collectBuildInfo, true) }}:
      buildName: '$(Build.DefinitionName)'
      buildNumber: '$(Build.BuildNumber)'

When using a ServiceConnection with token-based authentication, a username should not be required. (The Classic build pipeline editor does not prompt for a Username whin using a ServiceConnection.)

Expected behavior

The task does not require a username input when using a ServiceConnection.

Azure DevOps extension name and version

2.92 I think.....

JFrog CLI version

2.53.1

Operating system type and version

Windows Server 2019

JFrog Artifactory version (if relevant)

No response

JFrog Xray version (if relevant)

No response

JFrog Distribution version (if relevant)

No response

fourpastmidnight commented 1 month ago

Never mind. So, when I created the user account for build server integration, I also created an access token, both a JWT and a Reference token. The help bubble for the Reference Token says that it can be used anywhere as a password, API Key, or, and this is the important one, a Bearer token. That, apparently, is not true, at least, not for Nuget. Here's more of the log from a failing build:

21:08:19 [Warn] couldn't extract payload from Access Token.
The provided access token is not a valid JWT, probably a reference token.
Some package managers only support basic authentication which requires also a username.
If you plan to work with one of those package managers, please provide a username.
  Determining projects to restore...
D:\Agent04\_work\_tool\dotnet\sdk\9.0.100-rc.1.24452.12\NuGet.targets(751,5): error : Value cannot be null or empty string. (Parameter 'username') [D:\Agent04\_work\111\s\src\MyProject\MyProject.csproj]
21:08:20 [Error] exit status 1
##[error]Error: Command failed: D:\Agent04\_work\_tool\jf\2.53.1\x64\jf.exe dotnet restore --build-name="my-project" --build-number="v8.0.0-ci.4.24291.4057.6362"

So, I cannot use the reference token as a bearer token, I have to use the full JWT token. But here's the thing, I validated the ServiceConnection in Azure DevOps with the Reference token and it validated just fine—the connection to the API could be established. This seems like a bug to me—perhaps in Azure DevOps Server. So, I'm going to change the title of this issue and let someone else decide whether this is not a Jfrog problem. (It's possible it's a littel of both.)