Your comments
I'm not planning to support PATs which are limited to certain organizations. Note that PATs are anyway only a workaround in case your have troubles with OAuth authentication (usually you shouldn't have). Such limited PATs would make several code parts more complicated. For example, already "_apis/profile/profiles/me" fails.
If you have different user accounts (=emails), that should be supported by setting up one Azure DevOps Hosting Provider per account.
@hrant and @Martillo, thanks for your testing and feedback! I have now uploaded build 17071 (Help|Check for Latest Build) with following changes:
- Settings are now per-user and cross-account, because OAuth tokens and PATs are, too. The "user ID" which is required for pull request comments is detected from REST call "_apis/profile/profiles/me". Assigned organizations are detected from REST call "_apis/accounts". There can be multiple Azure DevOps Hosting Provider configurations (for different user accounts). The assigned organizations will be used to map repository URLs to those settings. I didn't test with multiple user accounts, though.
- fix setup with PATs (sometimes it worked, most times it didn't)
- OAuth app-callback should only be used URL-encoded
- improved "No refresh-token present" error message
Note, that:
- You will have to recreate your Hosting Provider configuration!
- PATs are only a workaround, the recommended setup is using OAuth
- "visualstudio.com" URLs are not supported
You can manually change the Organization ("Account") in the Azure DevOps account dialog. But as pointed out in my last comment, I hope to get rid of the Account entirely. Can you please give the clone, as outlined above, a try?
I'm wondering whether we need accounts/usernames at all. OAuth tokens/PATs already seem to uniquely identify the users. I couldn't find any official statement in the REST API docs about this, but I found the following:
https://github.com/MicrosoftDocs/azure-devops-docs/issues/2455#issuecomment-439503194
The same is also true for GitHub, Bitbucket and GitLab. For my experiments, I could now also successfully use the OAuth token and a PAT to access repositories of my two test organizations. For PATs, it's important to give them access to "All accessible organizations"; scope Code Read&Write should be sufficient.
@hrant and @Martillo, can you please confirm that you are able to access all of your (private) repositories when creating such a PAT:
git clone https://anything:<PAT>@dev.azure.com/yourOrgName/yourProjectName/_git/yourRepoName
Note that there is another bug in SmartGit's latest build which prevents PATs from working correctly (almost always), hence it's not yet expected to work from within SmartGit.
At which point would SmartGit get in touch with an "org.visualstudio.com"-URL? None of your above logs mentions "org.visualstudio.com".
> 2- Digging further on why I was not seeing the Azure logo on branches, it dawned on me that our organization still uses > the older visualstudio domain format
> `https://org.visualstudio.com` instead of `https://dev.azure.com/org`
Do you think that this could be a common problem? Any ideas how SmartGit could detect this problem?
:D That is really good to hear! Hence, from my understanding following issues are still open:
- some error messages are still mentioning "Bitbucket"
- the rundll32-link should better be encoded: it seems encoded version is working for all of us with all browser
- improve "no refresh-token present" error message
- personal access tokens: I can reproduce the 401 for "https://app.vssps.visualstudio.com/_apis/profile/profiles/me" now -- I guess since introducing that call I didn't check again with PATs, sorry for that ...
That looks good! Currently, SmartGit is populating the "Account" field with the first account from this list. Maybe it should better offer a list to chose from?
Did you also try to click the Generate Token button instead of copy&pasting the URL to the browser directly? It will invoke rundll32 exactly you did, hence I would expect this to work, too.
Regarding pull requests, the Branches view doesn't show any of them, but it also doesn't denote any errors in the Azure logo. Is it correct that the repository doesn't contain any pull requests?
> Correct, it turns out that smartgit passing url to browser is running into an issue and concatenating multiple times.
> here's how the urldecoded version looks like what is actually passed to the browser.
That's interesting. I'm on Windows 10 and don't have any troubles with passing over url-decoded version to rundll32 (the partial duplication is expected and required). From command line, can you please try to run following commands and let me know which ones of them succeed?
rundll32 url.dll,FileProtocolHandler "https://app.vssps.visualstudio.com/oauth2/authorize?client_id=8596D322-85D7-49ED-8103-77ABE77BD190&response_type=Assertion&state=nothing&scope=vso.code_write&redirect_uri=https://www.syntevo.com/smartgit/azuredevops-callback"
and:
rundll32 url.dll,FileProtocolHandler "https://app.vssps.visualstudio.com/oauth2/authorize?client_id=8596D322-85D7-49ED-8103-77ABE77BD190&response_type=Assertion&state=nothing&scope=vso.code_write&redirect_uri=https%3A%2F%2Fwww.syntevo.com%2Fsmartgit%2Fazuredevops-callback"
> if I copy the url shown in the dialog and paste that in the browser, I get a proper login dialog, and when I paste back the
> Authorization code, the Account field is filled with one of our organizations.
That's good. This is the result of https://app.vssps.visualstudio.com/_apis/accounts callback. When invoking this URL in your browser can you see multiple accounts there? Does that match the organizations you are connecting to?
> Now if we forget about the second org, and look into the first one that properly got added, I still don't see anywhere any traces of pull request.
Does the Branches view now show the Azure logo? Let's first concentrate to get this working for the organization which Generate Token suggests. Also let's switch to email. Please send clean logs for the seemingly successful authentication for this organization to smartgit@syntevo.com:
https://www.syntevo.com/doc/display/SG/Debugging#Debugging-Generaladvices/preparations
Customer support service by UserEcho
> I tested connecting using an OAuth token when "Allow Third-party Application access via OAuth" was turned off for the org in Azure DevOps (see screenshot) and got an HTTP 401 response, so it would helpful to add some instructional text in the dialog box to note that this needs to be turned on in the org.
Thanks for this hint! Usually we collect possible problems with Hosting Provider setups in our docs, hence I have added this information there: https://www.syntevo.com/doc/display/SG/Azure+DevOps
> Also, I had real problems creating an OAuth token for an org where I authenticate with a different MS account than the one I'm logged into my Windows workstation with, so I gave up and used a PAT instead.
So you can't simply switch accounts in your browser? This works fine for e.g. GitHub/Bitbucket, but I understand that for Azure authentication maybe somehow be tied to your workstation login. In this case, I agree, PATs may be the best choice.
> Since authenticating with OAuth tokens for multiple MS accounts could be problematic, you might get fewer support request from users if you encourage PATs over OAuth.
I'm wondering how common it is with Azure that one user has multiple accounts? Why do you as a single person have multiple accounts? Note that you wrote about "multiple Azure DevOps instances" which is something different: there must be a way to switch between them in the browser and then OAuth should work out-of-the-box.
> For PATs, it would also be helpful to add some text on the Azure DevOps Configure Hosting Provider dialog to explain that a PAT only needs Code Read/Write permissions but access to all accessible orgs.
I have checked related code, but it can only distinguish between automatic generated tokens and manually entered tokens. After the token has been confirmed such an info could be displayed. But especially during setup while the user may type/paste anything into the Token text field, I can't tell whether this is a PAT or not. Hence, providing a reliable text here is a bit tricky.
> BTW , by "Retract Pull Request" do you mean "Abandon"?
SmartGit is using "Retract" for outgoing pull requests. For all Hosting Providers, the underlying commands which will be executed are identical to Rejecting a pull request. Hence, for the next build, I have switched from "Retract" to "Reject", except for Azure DevOps which will use "Abandon" instead of "Retract"/"Reject".