GitHub's PAT is recognized as a Token, not PersonalAccessToken

[amaslenn]

Required Information

Type: Bug
Task: GitHubRelease (v0/v1)

Environment

• Server - Azure Pipelines?
  Build link: https://dev.azure.com/ucfconsort/ucx/_build/results?buildId=1675&view=results
• Agent - Hosted (container):

Issue Description

I'm implementing release pipeline which should create a draft release on each tag pushed. I've created a PAT (admin:repo_hook, repo, user permissions) and tried to create a release manually, it worked. Then I created a Service connection using this PAT. But when I run my pipeline, I'm getting this error:
The pipeline is not valid. Job release: Step GitHubRelease input gitHubConnection expects a service connection of type github with authentication scheme OAuth,PersonalAccessToken but the provided service connection release2 is of type github using authentication scheme Token.

I tried to ask on similar issue (#9394) but no answer.

[DavidSimner]

I had a similar issue. When using the Azure DevOps website to create a Service Connection with the type github, it always created me a service endpoint using the scheme Token, whereas the other part of Azure DevOps needed the scheme to be PersonalAccessToken.

I managed to work around this by using the Azure DevOps API to create a Service Connection using the authentication scheme that it needed.

I did a POST to https://dev.azure.com/<TODO:org>/<TODO:project>/_apis/serviceendpoint/endpoints?api-version=5.1-preview.2 with the body:

{
  "name": "<TODO:name>",
  "type": "github",
  "url": "https://github.com",
  "authorization": {
    "scheme": "PersonalAccessToken",
    "parameters": {
      "accessToken": "<TODO:PAT>"
    }
  }
}

Maybe the same workaround would work for you @amaslenn

[amaslenn]

@DavidSimner thanks a lot! Creating a Service connection using API made Azure to correctly recognize the token.

I'm leaving the issue open since creating a connection via web works unexpectedly.

[twpayne]

I'm encountering the same bug, thank you @DavidSimner for the suggested work-around.

Could you provide more details on exactly you made this POST request? I'm trying to do it with the Azure CLI but am failing because I don't know what resource needs to be associated with the request for authorization.

Specifically, I have verified that I can see my pipelines by running:

az login
az extension add --name azure-devops
az pipelines list --organization=<TODO:org> --project=<TODO:project>

and I see the pipelines associated with <TODO:org> and <TODO:project>.

I tried to create the Service Connection by running:

az rest \
	--method post \
	--uri 'https://dev.azure.com/<TODO:org>/<TODO:project>/_apis/serviceendpoint/endpoints?api-version=5.1-preview.2' \
	--resource _apis/serviceendpoint/endpoints \
	--body @data.json

where data.json contains the JSON data described above.

However I get the following invalid_resource error:

The command failed with an unexpected error. Here is the traceback:
Get Token request returned http error: 400 and server response: {"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named _apis/serviceendpoint/endpoints was not found in the tenant named 653c53ad-337e-4c4b-b50a-69fd391fad67. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: af002fec-c035-4d0f-baaa-733f12d92400\r\nCorrelation ID: b46c5fec-0b4b-4138-8ad4-983f6151fb62\r\nTimestamp: 2019-12-11 16:10:27Z","error_codes":[500011],"timestamp":"2019-12-11 16:10:27Z","trace_id":"af002fec-c035-4d0f-baaa-733f12d92400","correlation_id":"b46c5fec-0b4b-4138-8ad4-983f6151fb62","error_uri":"https://login.microsoftonline.com/error?code=500011"}

Do you know what value for --resource I should use?

Many thanks for any help.

[amaslenn]

@twpayne I created a Personal Access Token in Azure and used it with curl:

curl -u USER:PAT https://dev.azure.com/{{ORG}}/...

Got smth like this as the final cmd: curl -u USER:PAT -d '{"name": "release","type": "github","url": "https://github.com","authorization":{"scheme":"PersonalAccessToken","parameters":{"accessToken":"GITHUB_PAT"}}}' -H "Content-Type: application/json" -X POST 'https://dev.azure.com/{{ORG}}/{{PROJ}}/_apis/serviceendpoint/endpoints?api-version=5.1-preview'

Hope it helps.

[ljvmiranda921]

I tried running the command above with:

curl -d '{
  "name": "release",
  "type": "github",
  "url": "https://github.com",
  "authorization": {
    "scheme": "PersonalAccessToken",
    "parameters": {
      "accessToken": "<TODO-ACCESS_TOKEN>"
    }
  }
}' -H "Content-Type: application/json" -X POST 'https://dev.azure.com/ljvmiranda/ljvmiranda/_apis/serviceendpoint/endpoints?api-version=5.1-preview.2'

But it gives the following message:

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://spsprodea1.vssps.visualstudio.com/_signin?realm=dev.azure.com&amp;reply_to=https%3A%2F%2Fdev.azure.com%2FORG%2FUSER%2F_apis%2Fserviceendpoint%2Fendpoints%3Fapi-version%3D5.1-preview.2&amp;redirect=1&amp;hid=ab139b33-4392-4e67-923e-eb0d18ce6a69&amp;context=eyJodCI6MiwiaGlkIjoiZTBjZDQ0ZmMtMGRjNC00NWU0LTk3ZDEtZDEwMzA0NTljN2NhIiwicXMiOnt9LCJyciI6IiIsInZoIjoiIiwiY3YiOiIiLCJjcyI6IiJ90#ctx=eyJTaWduSW5Db29raWVEb21haW5zIjpbImh0dHBzOi8vbG9naW4ubWljcm9zb2Z0b25saW5lLmNvbSIsImh0dHBzOi8vbG9naW4ubWljcm9zb2Z0b25saW5lLmNvbSJdfQ2">here</a>.</h2>
</body></html>

Clicking that link simply redirects me to the Azure login page. I also tried running:

$ az login

But same results.
Not sure how to proceed with this. Any ideas @amaslenn @twpayne @DavidSimner ?

I'm hoping that the fix for this bug arrives very soon. According to #9394, there's already a fix for this. Automating Github releases is a common task for most open-source projects and being unable to do that seamlessly is frustrating.

[ljvmiranda921]

Ok, I was able to solve the problem above by creating a personal access token. You can do so by following the instructions here. The minimal scope for the token can be: Service Connections (Read, query, & manage). Be sure to click the "other 27 scopes" so this would appear.

After creating the token you need to (1) base64 encode it and (2) copy-paste it in your request. In my case, I just used Postman rather than the usual cURL since the former does step 1 automatically. For Postman, simply go to the "Authorization" tab and fill-in your Username and Password (the generated token)

Then for the request just go to Body, click the raw radio button. Then click the dropdown and change it from Text to JSON. You can then put the request as above (I'll copy-paste it here for clarity):

{
  "name": "release",
  "type": "github",
  "url": "https://github.com",
  "authorization": {
    "scheme": "PersonalAccessToken",
    "parameters": {
      "accessToken": "<TODO-GITHUB-PERSONAL-ACCESS-TOKEN>"
}
  }
}

By clicking the Send command, you should be able to confirm that the Service Connection has been created properly:

---

Can also be found in my blog here: https://ljvmiranda921.github.io/notebook/2019/12/28/workaround-azure-github-pat/

[Sipkab]

You can send in the request without creating an access token for Azure. If you're already logged in, then you can get away with sending the following fetch request from the developer console of your browser:

fetch("https://dev.azure.com/<ORGANIZATION>/<PROJECT>/_apis/serviceendpoint/endpoints?api-version=5.1-preview.2", {"credentials":"include","headers":{"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "content-type": "application/json","accept-language":"en-US;q=0.9,en;q=0.8","cache-control":"no-cache","pragma":"no-cache","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"none","sec-fetch-user":"?1","upgrade-insecure-requests":"1"},"referrerPolicy":"no-referrer-when-downgrade","body":`{
  "name": "<NAME>",
  "type": "github",
  "url": "https://github.com",
  "authorization": {
    "scheme": "PersonalAccessToken",
    "parameters": {
      "accessToken": "<GITHUB_PERSONAL_ACCESS_TOKEN>"
    }
  }
}`,"method":"POST","mode":"cors"});

Fill in <THESE_PARTS>.

[ljvmiranda921]

Interesting @Sipkab, but I got confused:

You can send in the request without creating an access token for Azure.

What then should I put inside ACCESS_TOKEN?
Oh ok, it's the Github Access Token

[Sipkab]

What then should I put inside ACCESS_TOKEN?

The GitHub personal access token that you've generated in your account.

[Blackbaud-BobbyEarl]

Thank you so much for the suggestion @Sipkab!

I needed to tweak slightly to accommodate updating an existing service connection, but you steered me to the quickest resolution (suddenly I was blocking hundreds of devs 😬).

[romil07]

This has been fixed in a later version of the task. Closing this.

[Blackbaud-BobbyEarl]

Could you provide more details @romil07? Perhaps link to a commit or PR? Does "later version" mean the same V0 of the task or something else? Thanks!