search

microsoft / azure-devops-extension-sample

Sample web extension for Azure DevOps
MIT License
240 stars 159 forks source link

User unauthorized to access this resource #45

Open pauldev263 opened 4 years ago

pauldev263 commented 4 years ago

Copying the Pivot sample, I changed it to make a call to getBuilds() using the BuildRestClient, supplying only the project id. Updating the extension, I refreshed and "Loading..." remained visible. I checked the network messages in debug and saw the error.

After getting the token, the browser makes the request for the project's builds but receives a 401 response. I have checked the request header and the correct authorization value is being set. It is strange that getProjects() works but getBuilds() doesn't on the same extension. I am unsure of where it gets the guid of the user from.

Referencing the same API endpoint works from a JavaScript extension. Likewise, using the REST clients' getBuilds() in the same JavaScript extension works.

import { BuildRestClient, Build } from "azure-devops-extension-api/Build"; const builds = await getClient(BuildRestClient).getBuilds(projectId);

{"$id":"1","innerException":null,"message":"TF400813: The user '***' is not authorized to access this resource. ","typeName":"Microsoft.TeamFoundation.Framework.Server.InvalidIdentityException, Microsoft.TeamFoundation.Framework.Server","typeKey":"InvalidIdentityException","errorCode":0,"eventId":3000}

pauldev263 commented 4 years ago

I noticed one difference which doesn't have any affect when calling the API directly from the browser: getProjects() is calling api-version=5.1-preview.4 yet getBuilds() is calling api-version=5.1-preview.5. I've looked within azure-devops-extension-api to see where this is set but cannot find it.

tovVAar commented 4 years ago

This might be related to a missing scope declaration on your extension json file: https://docs.microsoft.com/en-us/azure/devops/extend/develop/manifest?view=azure-devops#scopes

I had a similar problem, it was possible to create work items, but for getting a list of them, I had to add the following scope declaration:

"scopes": [
        "vso.work_write"
    ]

In your case, it could be vso.build That will update your extension and it should be reviewed, instructions are on that link as well.

chris-putnam commented 3 years ago

Once you add the new scope and publish the extension you will also have to go into Azure DevOps organization settings and click a button to grant the new permissions to the extension. It will say something like "Action Required" next to the extension.