Authentication through Personal Access Token creates organisational coupling

[IncandescentChrysalis]

Currently, the only documented way to use this library is to authenticate with a Personal Access Token.

This seems wrong, as:

• From what I know about them, Personal Access Tokens are associated to human accounts This means an application access to an Azure DevOps instance is tightly coupled to the existence of a human person in an organisation, which means applications access will break depending on other life cycles.
• Personal Access Token also require an expiration date, meaning applications access will break regularly, forcing some manual (human) extra credentials management on top of, and separate from, the one associated with the parent account.

Is there a plan to support other kinds of authentication scheme with Azure DevOps (Server)?

One could think of an OAuth2 process, for instance, allowing different flows:

• H2M, much like what is achieved through PAT, without any extra (token, on top of account), manual, token lifecycle management
• M2M which would allow managing applications-specific secrets

Both flow isolate authentication of the application from any other organisational resource, and allow delegation of authorisation and grants lifecycle to a dedicated, potentially automated third-party.

[JohnStokes228]

i would like to add that all other azure sdks im aware of are using azure-identity for auth, can this please be updated to do the same?

https://github.com/Azure/azure-sdk-for-python/issues/36643

[vs4vijay]

Yes, We need support for azure identity SDK in Azure DevOps SDK. This is what I am doing currently as workaround, but this doesn't cater for refreshing the access token, and other related use cases.

credential = DefaultAzureCredential()
token = credential.get_token("499b84ac-1321-427f-aa17-267ca6975798/.default")
credential2 = BasicTokenAuthentication({"access_token": token.token})

CC: @nechvatalp, @tonybaloney