Visual Studio Team Services

VSTS & TFS Rest API: 03 – Authentication

As mentioned in the previous post, there are several ways to authenticate yourself against your target VSTS or TFS endpoint and depending on your environment, you will have to use one or the other.

When constructing a new VssConnection instance, you have to pass along a VssCredentials instance into it, the later being, as the name implies, the container for your authentication credentials and it comes in various flavours (read: .ctor overloads and derived classes).

NTLM

The most basic one is constructing a VssCredentials instance with no parameter at all and what you’ll be using is simply put integrated authentication / NTLM:

var visualStudioServicesConnection = new VssConnection(new Uri(baseUri), new VssCredentials());

Basic Authentication

VSTS and TFS also provide means to utilize Basic authentication (HTTP AUTH) which you need to create and enable first (see VSTS guidelines) and once you’ve done so, you can use them via the API like this:

var visualStudioServicesConnection = new VssConnection(new Uri(baseUri), new VssBasicCredential(username, password));

Personal Access Tokens

Next up are Personal Access Tokens (PAT) which you can easily create following the VSTS guidelines and those PATs are a means of authenticating separately from your actual credentials with a fine-grained & per access token scopes of security. Simply put it allows you to create a PAT for every use-case or even application and thereby enabling a secure and clearly separated way of giving an application or 3rd party access to your VSTS or TFS system on your behalf.

To use these via the API, you use the exact same mechanism as via Basic Authentication but you simply don’t provide any username (well – an empty one to be precise), and the PAT itself is used as the password:

var visualStudioServicesConnection = new VssConnection(new Uri(baseUri), new VssBasicCredential(string.Empty, pat));

Visual Studio Sign-in Prompt

Moreover another way of authenticating is using the standard VS Sign-In prompt which is similarly easy and exposed via the VssClientCredentials class:

var visualStudioServicesConnection = new VssConnection(new Uri(baseUri), new VssClientCredentials());

OAuth Authentication

OAuth is a widely used but a slightly more tedious authorization protocol to implement but luckily there’s a thorough sample application available at CodePlex specifically for VSTS / VSO (which also works for on-premises).

Once you have the corresponding access token, you can use it to VSTS / TFS utilizing the VssOAuthCredential class:

var visualStudioServicesConnection = new VssConnection(new Uri(baseUri), new VssOAuthCredential(accessToken));

Azure Active Directory Authentication

Last but not least you can utilize Azure Active Directory identities to authenticate against a VSTS or TFS system via the VssAadCredential class:

var visualStudioServicesConnection = new VssConnection(new Uri(baseUri), new VssAadCredential(username, password));

Conclusion

Those are the authentication types currently available (or at least the ones I know of) and most are quite easily usable, just make sure to keep the sensitive bits (i.e. your Personal Access Token or OAuth Access Token) secure.

 

Index for all Posts | Full code is available at GitHub

Discussion

Comments disabled.