Support for non-expiring Azure DevOps credentials

tfsaggregator / aggregator-cli

A new version of Aggregator aiming at Azure DevOps (ex Visual Studio Team Services)

https://tfsaggregator.github.io/

Apache License 2.0

73 stars 32 forks source link

Support for non-expiring Azure DevOps credentials #14

Open giuliov opened 5 years ago

giuliov commented 5 years ago

Current version has only support for PAT, which can last, at most, a year.

pswetz commented 5 years ago

Its seems the issue here is secure storage am I correct?

giuliov commented 5 years ago

Yes (currently PAT is saved in the Function configuration), and more: ideally the Function instance should be perpetually connected, removing the hassle of manually refreshing expiring tokens.

stale[bot] commented 5 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

BobSilent commented 5 years ago

@giuliov please correct me if I am going into wrong direction: Is this about these 2 topics?

1) storage location of secrets (PAT)

use Azure Key Vault for storage in Azure Function Context
use windows vault for local execution

2) support additional login possibilities

support running with dedicated provided username:password?
support OAuth2

giuliov commented 5 years ago

@BobSilent it is more 2b in order to avoid managing PAT I explored the topic a while ago, but I was only able to find solutions for:

the client scenario, like a WPF App or a Web site, implying user interaction;
AAD authentication using Graph API, which may apply or not (not very familiar with this, but I guess we should test with a DevOps Organization backed by MSA accounts and one using AAD)

The ideal solution would be similar to registering a build agent: you authenticate once then some kind of token is exchanged and the agent is trusted.

PS you can use Slack for chatting and discussion.