Choose the right authentication mechanism
Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019
For applications that interface with Azure DevOps Services, you must authenticate to gain access to resources like REST APIs. This article provides guidance to help you choose the right authentication mechanism for your application.
The following table outlines the recommended authentication mechanisms for different application types. Refer to the accompanying descriptions, examples, and code samples to help get you started.
| Type of application | Description | Example | Authentication mechanism | Code samples |
|---|---|---|---|---|
| Interactive client-side (REST) | Client application that allows user interaction calling Azure DevOps Services REST APIs | Console application enumerating projects in an organization | Microsoft Authentication Library (MSAL) | sample |
| Interactive client-side (Client library) | Client application that allows user interaction calling Azure DevOps Services Client libraries | Console application enumerating bugs assigned to the current user | Client libraries | sample |
| Interactive JavaScript | GUI-based JavaScript application | AngularJS single page app displaying project information for a user | Microsoft Authentication Library for JavaScript (MSAL JS) | sample |
| Personal access token (PAT) | Bearer token to access your own resources | Use your PAT in place of your password. | PATs | PATs |
| Non-interactive client-side | Headless text only client-side application | Console app displaying all bugs assigned to a user | Device Profile | sample |
| Interactive client-side app targeting Azure DevOps | Client application that allows user interaction authenticates Azure DevOps users | Console application allowing Azure DevOps users to see assigned bugs | Client Library (Interactive and Windows authentication) | sample |
| Interactive web | GUI-based web application that requires user consent | Custom Web dashboard displaying build summaries | Azure DevOps OAuth | sample |
| Service Principals or Managed Identities | Application with access to organization's Azure DevOps resources | Azure function to create work items | Service principals and managed identities | sample |
| Azure DevOps Server application | Azure DevOps Server app using the Client OM library | Azure DevOps Server extension displaying team bug dashboards | Client Libraries | sample |
| Azure DevOps Services extension | Azure DevOps Services extension | Agile Cards | VSS Web Extension SDK | sample |
For more information, see the following articles:
- About security and identity.
- Credential storage for Azure DevOps.
- OAuth authentication
- Service principals and managed identities
- Azure DevOps Client Libraries
- Azure DevOps extensions
- Azure DevOps data protection overview
Enabling IIS Basic Authentication invalidates using PATs for Azure DevOps Server
For more information, see Using IIS Basic Authentication with Azure DevOps on-premises.
Frequently asked questions (FAQs)
Q: Why can't my service account access the Azure DevOps REST API?
A: Your service account might not have "materialized." Service accounts without interactive sign-in permissions can't sign in. For more information, see this work-around for a solution.
Q: Should I use Azure DevOps Services Client Libraries or Azure DevOps Services REST APIs for my interactive client-side application?
A: We recommend using Azure DevOps Services Client Libraries over REST APIs for accessing Azure DevOps Services resources. They're simpler and easier to maintain when REST endpoint versions change. If the client libraries lack certain functionality, use MSAL for authentication with our REST APIs.
Q: Is this guidance only for Azure DevOps Services or is it also relevant for on-premises Azure DevOps Server users?
A: This guidance is primarily for Azure DevOps Services users. For Azure Devops Server users, we recommend using the Client Libraries, Windows Authentication, or Personal Access Tokens (PATs) for authentication.
Q: What if I want my application to authenticate with both Azure DevOps Server and Azure DevOps Services?
A: The best practice is to have separate authentication paths for Azure DevOps Server and Azure DevOps Services. You can use the requestContext to determine which service you're accessing and then apply the appropriate authentication mechanism. If you prefer a unified solution, PATs work for both.
Povratne informacije
Stiže uskoro: Tokom 2024. godine postepeno ćemo ukidati probleme sa uslugom GitHub kao mehanizam povratnih informacija za sadržaj i zameniti ga novim sistemom povratnih informacija. Dodatne informacije potražite u članku: https://aka.ms/ContentUserFeedback.
Prosledite i prikažite povratne informacije za