powershell 如何使用client_id和client_secret查询Azure DevOps工作项

2ekbmq32  于 12个月前  发布在  Shell
关注(0)|答案(1)|浏览(218)

我想通过Azure DevOps REST API查询工作项。当我使用具有work_write访问权限的PAT时,此操作有效。
现在我想使用一个应用程序来实现这一点。
我做的步骤:
1.通过Azure门户在Microsoft Entra中创建新应用程序
1.向该应用程序授予了vso.work_write权限并授予了管理员同意(尽管不需要管理员同意)
1.创建client_secret
1.将该应用程序添加为Azure Devops中的用户,并将其分配给我要查询的项目的“项目贡献者”角色。
我正在使用下面的PowerShell代码登录并查询工作项。我可以成功登录,并获得一个看起来很好的access_token。然而,对WIQL查询的响应是登录页面的HTML。我使用从我的帐户使用相同的work_write权限创建的PAT测试了相同的查询,它工作得很好。

# Define the variables
$organization = "..."
$project = "..."
$clientId = "..."
$tenantId = "..."
$clientSecret = "..."
$baseurl = "https://dev.azure.com/$organization/$project"
$tokenurl = "https://login.microsoftonline.com/$tenantId/oauth2/token"

# Get the access token
$body = @{
    client_id = $clientId
    client_secret = $clientSecret
    grant_type = "client_credentials"
    scope = "https://app.vssps.visualstudio.com/vso.work_write"
}
$tokenresponse = Invoke-RestMethod -Uri $tokenurl -Method Post -Body $body -ContentType "application/x-www-form-urlencoded"
$token = $tokenresponse.access_token
echo $tokenresponse # This looks fine

# Define the WIQL query
$wiql = @{
    query = "SELECT [System.Id], [System.AssignedTo], [System.State], [System.Title] FROM workitems WHERE [System.TeamProject] = '$project' AND [System.State] = 'Resolved' AND [System.ChangedDate] < @today-7 AND [System.Tags] NOT CONTAINS 'Stale'"
} | ConvertTo-Json

# Post the WIQL query to the REST API
$wiqlurl = "$baseurl/_apis/wit/wiql?api-version=7.1"
$wiqlresponse = Invoke-RestMethod -Uri $wiqlurl -Method Post -Body $wiql -ContentType "application/json" -Headers @{Authorization=("Bearer {0}" -f $token)}

echo $wiqlresponse # This is the html of the sign in page

字符串
为了成功执行查询,我需要更改什么?

0s7z1bwu

0s7z1bwu1#

要解决此错误,您需要将scope值更改为**499b84ac-1321-427f-aa17-267ca6975798/.default,并在PowerShell脚本中使用v2.0令牌URL。
在我的例子中,我注册了一个Azure AD应用程序,并将其添加为Azure DevOps中的
用户**-组织,具有“项目贡献者”角色:
x1c 0d1x的数据
现在,我运行下面的modified脚本,通过如下方式更改$scope$tokenurl参数的值:

# Define the variables
$organization = "sridevOpsdemo"
$project = "sriproj1"
$clientId = "appId"
$tenantId = "tenantId"
$clientSecret = "secret"
$baseurl = "https://dev.azure.com/$organization/$project"
$tokenurl = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"

# Get the access token
$body = @{
    client_id = $clientId
    client_secret = $clientSecret
    grant_type = "client_credentials"
    scope = "499b84ac-1321-427f-aa17-267ca6975798/.default"
}
$tokenresponse = Invoke-RestMethod -Uri $tokenurl -Method Post -Body $body -ContentType "application/x-www-form-urlencoded"
$token = $tokenresponse.access_token
echo $tokenresponse

$wiql = @{
    query = "Select [System.Id], [System.Title], [System.State] From WorkItems Where [System.WorkItemType] = 'Task' order by [Microsoft.VSTS.Common.Priority] asc, [System.CreatedDate] desc"
} | ConvertTo-Json

$wiqlurl = "$baseurl/_apis/wit/wiql?api-version=7.1"
$wiqlresponse = Invoke-RestMethod -Uri $wiqlurl -Method Post -Body $wiql -ContentType "application/json" -Headers @{Authorization=("Bearer {0}" -f $token)}

字符串

回复:



当我回显**$wiqlresponse时,我成功地获得了带有工作项详细信息的响应**,如下所示:

echo $wiqlresponse


参考:

使用服务主体和托管身份- Azure DevOps|微软

相关问题