I am able to list existing PATs when I use the GET verb.
I get a 200 OK response when I create a PAT using the POST verb.
The payload shows:
{"patToken":null,"patTokenError":"userIdRequired"}
This error is listed in the documentation but does not explain how to resolve it.
var clientBearer = new RestClient(@"https://login.microsoftonline.com");
var requestBearer = new RestRequest($"{tenantID}/oauth2/v2.0/token");
requestBearer.AddHeader("Content-Type", "application/x-www-form-urlencoded");
requestBearer.AddParameter("client_id", appRegistration.appId);
requestBearer.AddParameter("client_secret", appRegistrationSecret);
requestBearer.AddParameter("scope", "499b84ac-1321-427f-aa17-267ca6975798/.default");
requestBearer.AddParameter("username", username);
requestBearer.AddParameter("password", password);
requestBearer.AddParameter("grant_type", "password");
var responseBearer = clientBearer.ExecutePostAsync(requestBearer).Result;
var azureBearerToken = JsonConvert.DeserializeObject<AzureBearerToken>(responseBearer.Content);
var devopsBearerToken = azureBearerToken.token_type + " " + azureBearerToken.access_token;
Password Authentication was selected as the only viable non-interactive authentication method. This user is replacing a ServicePrincipal/ManagedIdentity because Microsoft does not support those models for Devops REST API and not all Devops REST API functionality is available in the Azure CLI.
I now have a valid bearer Token
var devopsClient = new RestClient(@"https://vssps.dev.azure.com");
var patRequest = new RestRequest($"{devopsOrganization}/_apis/tokens/pats?api-version=7.1-preview.1");
patRequest.AddHeader("Authorization", devopsBearerToken);
patRequest.AddHeader("Content-Type", "application/json");
var patListResponse = devopsClient.ExecuteGetAsync(patRequest).Result;
This response looks great and I know that the bearer token is working. As this is a newly created AD user created through the Azure CLI I am expecting an empty array of PAT which I do receive in the response.
So far, So good
//create a token
var body = new
{
displayName = "targetName",
scope = "app_token",
validTo = validTo,
allOrgs = true
};
patRequest.AddJsonBody(body);
var patCreateResponse = devopsClient.ExecutePostAsync(patRequest).Result;
This final response is the problem and it contains the
patTokenError : userIdRequired
From the error UserIdRequired, it seems UserId is not provided from the access token or the user is not allowed .See access-azure-devops-rest-api-with-oauth.
I dint check it myself,but please check , in the azure AD registration, if proper scopes are provided for the application and to access REST API and granted consent.User gets access token for user ,but due to lack of proper permissions to access Azure devops may lead to user not being able to access devops through rest api.
According to Token Lifecycle Management REST API for Azure DevOps Services - Azure DevOps Services REST API | Microsoft Docs
It looks like you have provided scope correctly , also make sure it is granted admin consent. Also make sure to provide profile User.Read scopes in azure ad , to check logged in users profile as this API is only available to users that are part of an Azure AD tenant with an active Azure subscription.
Also for safe side in other cases of PatToken in error, it is recommended to revoke the PAT.
Referred from Use personal access tokens
NOTE:
References: