Azure Devops REST API call from Postman

Question

I am trying to call REST API using OAuth authentication from Azure Devops using Postman. But, it is giving me error.

PFA the screenshots of the APP, and

please can someone tell me end to end process to authenticate and get the access token please.

I had tried making the app and using the credentials like -

But, still not able to fetch. Please help

This is the Screenshot of the page that open in Azure Devops side to get the authentication - Accept/Deny but after I accept - it comes up with the error. enter image description here

Answer 1

I can get the access_token following the steps in the document.

Here are my steps.

1. Go to https://app.vsaex.visualstudio.com/app/register to register the app. We will use the app ID, client secret and the Authorization callback URL in the following steps. My callback URL is https://jwt.ms/ here.

2. Authorize the app with the app ID and the Authorization callback URL you use in the app.

https://app.vssps.visualstudio.com/oauth2/authorize
        ?client_id={app ID}
        &response_type=Assertion
        &state=User1
        &scope=vso.work_full
        &redirect_uri={your Authorization callback URL}

After completing the above URL, paste it into your browser and click Enter.

It will need you to accept the app.

After we accept it, it redirects the browser to the callback URL, including a short-lived authorization code and the state value provided in the authorization URL. We will use the code in the next step.

{callback URL}?code=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Im.......&state=User1

3. Get an access and refresh token by POST https://app.vssps.visualstudio.com/oauth2/token. The body Content-Type is application/x-www-form-urlencoded.

Body details:

client_assertion_type:urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertion:{client secret acquired when the app was registered}
grant_type:urn:ietf:params:oauth:grant-type:jwt-bearer
assertion:{"code" provided via the code query parameter to your callback URL in step 2}
redirect_uri:{callback URL registered with the app}

My test result:

4. With the access_token in step 3, we can use it in postman to get the work item details.

My test result:

5. To refresh token, change the grant_type to refresh_token and change the assertion with the "refresh_token" you get in the step 3.

Body details:

client_assertion_type:urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertion:{client secret acquired when the app was registered}
grant_type:refresh_token
assertion:{"refresh_token" in step 3}
redirect_uri:{callback URL registered with the app}

My test result:

Note:

You should go to the organization's settings Policy to enable the Third-party application via OAuth. This policy is defaulted to off for all new organizations. We need to enable the policy to use the Azure DevOps OAuth apps.