Azure DevOps Integration

Context

The web app needs a way to display spice registries from a Git repository. To achieve this, the web backend application needs access to the user’s source code: the easier way is for this app to connect to the central repository where this source code is hosted.

Using static registration, the source code is parsed, and we’re able to build graphs without executing any code.

Current system

As of Nov. 2024, the Azure DevOps integration only works for our historical customer Pernod Ricard. The implementation relies exclusively on Azure DevOps REST API.

Using the REST API is probably a thing we want to keep (as opposed to using Azure clumsy SDK).

However the current authentication system is terrible and not meant to be used in our production context… Yet it is.

We currently use a Personal Access Token and the Basic Auth mechanism. That’s the reason why the Azure DevOps integration can only works with Pernod Ricard: a PAT is necessary limited to an account, since it’s tied to a user.

Scaling and future-proofing

We need a way to authenticate our application using OAuth. Any customer that uses Azure DevOps should authorize our own Azure App to their account.

It seems that this is not doable though. Strangely enough, the Azure DevOps API seems only accessible as “delegated permissions”, meaning that a request must necessarily be made on behalf of a human user.

We created a spice app in our own Azure account (link)

There must a be a way though: we want our app to have access to a repo for itself, not on behalf of a user. That an admin user on the customer side must authorize the app is obvious though, but the authorization must be valid for the application itself.

Resources

Some of these might be helpful… or not.

Example and inspirations

There are plenty of tooling that requires the same set of permissions as we do. For instance:

Sentry
Sonarqube
or any tool that needs access to source code!

To implement our solution, we can take some inspirations from them.