Azure DevOps Python correct scopes for getting a token

kevinpeterson
April 17, 2024
129 views
0 votes
2 Answers

I’m trying to get pull requests via the Azure DevOps Python API. The code below works, but I’d rather not use the /.default scope because I only need a read-only call. The issue is if I put any other scope in the creds.get_token call I get an error on the creds.get_token call:

InteractiveBrowserCredential.get_token failed: Authentication failed: AADSTS65002: Consent between first party application 'xxxxx' and first party resource 'xxxxx' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API.

The question is, what are least permissive scopes that I can put into creds.get_token to fetch the pull requests as below:

creds = InteractiveBrowserCredential()

# I'd rather not use .default here
auth = BasicTokenAuthentication({'access_token': creds.get_token('499b84ac-1321-427f-aa17-267ca6975798/.default').token})

conn = Connection(base_url='https://dev.azure.com/xxx/', creds=auth)
client = conn.clients.get_git_client()
result = client.get_pull_requests("xxxx")

print(result)

Answers

- wadezhouMSFT
- April 17, 2024 at 5:51 am
- 0 votes
0
The scope to access Azure DevOps Services REST API must be 499b84ac-1321-427f-aa17-267ca6975798/.default, i’m afraid other scope is not supported. Please check similar ticket here for your reference.

Login or Signup to reply.

- Sridevi
- April 17, 2024 at 6:49 am
- 0 votes
0
Initially, I too got same error when I ran the code with other scope(single DevOps permission) in the creds.get_token :

If you prefer least permissive scopes to read pull request details without using /.default, you need to register one application and add vso.code permission in it like this:

As you are using interactive flow to generate access token, make sure to add redirect URI in Mobile and Desktop applications platform by enabling public client flows:

Now, you can make use of below modified code that generates access token using interactive flow with only vso.code permission instead of /.default and calls DevOps API to retrieve pull request details:
```
from msal import PublicClientApplication
import requests

CLIENT_ID = "appID"
AUTHORITY = "https://login.microsoftonline.com/tenantID"

# Define scopes required for your Azure DevOps API access
SCOPE = ["499b84ac-1321-427f-aa17-267ca6975798/vso.code"]

app = PublicClientApplication(
    CLIENT_ID,
    authority=AUTHORITY
)

result = app.acquire_token_interactive(scopes=SCOPE)

access_token = result['access_token']
print(access_token)
print()

headers = {
    'Authorization': 'Bearer {}'.format(access_token),
    'Content-Type': 'application/json',
}

response = requests.get('https://dev.azure.com/demodevOps25/_apis/git/repositories/repoID/pullRequests?api-version=7.1-preview.1', headers=headers)

# Check if response contains JSON data
if response.status_code == 200:
    try:
        data = response.json()
        print(data)
    except ValueError:
        print("Response is not in JSON format")
else:
    print("Failed to retrieve data. Status code:", response.status_code)
```
Response:

You can also decode above access token in jwt.ms website and check scp claim to find permissions it has as below:
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.