microsoft/azure-pipelines-extensions

Oauth2 authentication scheme (client credentials flow)

rahulpandey702 opened this issue · 0 comments

rahulpandey702 commented

I am working on a feature, which requires us to create a service connection to be used by a build pipeline task. We are considering making use of an app registration to authenticate with our backend service via the client credentials flow.

I have currently written a prototype service connection that takes in the app registration client id, secret and passes it on to the build task, which can then retrieve the access token. But I am not sure if that is the correct way to go about it.

I came across the following oauth2 auth scheme https://github.com/microsoft/azure-pipelines-extensions/blob/master/docs/authoring/endpoints/authenticationSchemes.md#oauth2. I wonder if it makes sense for our use case instead.

I am wondering if this makes sense for our use case.

I have a few questions:

  1. What purpose does the authorization URL serve? My guess is authorization URL is to dictate who can use a given Oauth config.

  2. What resource/scope should be used in the authorization URL? We have a backend app registration tied to an APIM, and for the client credentials flow, we are using a scope associated with that backend app registration, but that is to authenticate our access to the backend. I am not sure which resource/scope makes sense in authorization URL, where we are using the implicit flow?

  3. I have set the redirect URL to be https://dev.azure.com/org/.admin/oauth2/callback. When I click authorize for the oauth config, it redirects me to the this URL in a pop window along with the token (implicit flow). But I am not sure how to authorize the oauth config after that? Closing the pop window, simply cancels the authorization process.

  4. If we somehow succeed in authorizing the oauth config (once again I am assuming that is what the authorization URL is for), how do we typically retrieve the access token from the result and pass it to our pipeline task? Is this the use case for oauth2 auth scheme, where the service connection knows how to retrieve an access token as described in the data source bindings? And then somehow the pipeline task can retrieve it?

dataSourceBindings": [
              {
                "target": "AccessToken",
                "dataSourceName": "AccessToken",
                "requestVerb": "Post",
                "requestContent": "{\"client_id\":\"{{{configuration.ClientId}}}\",\"client_secret\":\"{{{configuration.ClientSecret}}}\",\"grant_type\":\"client_credentials\", \"scope\": \"api://<backend app registration>/.default\"}",
                "resultSelector": "jsonpath:$",
                "resultTemplate": "{\"Access_Token\" : \"{{{access_token}}}\", \"Error\" : \"{{{error}}}\", \"Error_Description\" : \"{{{error_description}}}\"}"
              }
]
  1. Also once the secret inside an oauth config expires, it seems like there is no way to update the oauth config, does that mean, we will have to create a new oauth config and have all the service connections link to the new oauth config?
  2. The token retrieved from the authorization URL, is this a one time thing to authorize the oauth config? Does this token ever have to be refreshed, once the oauth config has been linked to the service connection? And if yes, is that automatically done without a human intervening?