Can't create Full Scope PAT

[JerrickLewis7190]

My org is cracking down on fullscoped pats where they're not allowed to be created anymore. Can you add in the functionality to create partial scope pat?

getAuthenticationInfoAsync failed

java.lang.Error: java.io.IOException: HTTP request failed with code 400: {"$id":"1","innerException":null,"message":"FullScopePatPolicyViolation","typeName":"Microsoft.VisualStudio.Services.DelegatedAuthorization.SessionTokenCreateException, Microsoft.VisualStudio.Services.WebApi, Version=14.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","typeKey":"SessionTokenCreateException","errorCode":0,"eventId":3000}

[JerrickLewis7190]

Hello, I was wondering if there are any changes on this. I think it might be a good idea to allow the users to set whatever token they want to use. @ForNeVeR could I add this a requested feature?

[JerrickLewis7190]

I made the change. Can anyone give me access to create a branch?

[haven2world]

Any updates? I'm experiencing the same. Looks like the plugin hasn't been updated in one year.

[haven2world]

@JerrickLewis7190 Maybe you can fork this repo and create a PR back?

[morfj]

Hoping for a fix soon here too!

[YuiTH]

Bumping up. This feature also breaks the private Nuget feed.
It makes this plugin basically unusable in MSFT...

[reza-repo]

@JerrickLewis7190 did you ever create a PR?

[alexcrownus]

This is a major blocker.

[connorjs]

This seems to be the issue with the most up-votes.

I also hit this exception using Rider. I saw FullScopePatPolicyViolation mentioned, which may relate to my organization's rules around generating "full scope" PATs.

As @JerrickLewis7190 suggested, providing an option (config file, reading an environment variable, UI implementation) to enter a given PAT (the token itself) would solve this. The documentation can detail what permissions that PAT should have (I doubt it needs full; I expect it to need things to pull/push to repos, comment on PRs, and similar).

---

Is there a recommendation from the plugin owners on how we can contribute this fix? It relates to security, so I want to understand if any additional contributing requirements outside of those documented in the README.

[connorjs]

Note: I went through related issues and redirected them to this one given, at time of writing, this had the most up votes. Let's focus the discussion here.

[connorjs]

@ForNeVeR - Do you see any concerns with the community submitting a PR to allow user-provided token instead of whatever existing auth flow exists? I prefer to get maintainer blessing for security-related things before diving into solutions.

[ForNeVeR]

I do not have any concerns about such a contribution. Just make sure there's some setting/checkbox in a user-visible place, and use IntelliJ ways of storing the passwords (PasswordSafe).

It will be tested and merged if it works well.

[jatin-code777]

@connorjs Thanks for taking this, please do check this PR: #574
I believe there were testing concerns there. Perhaps we could have a "setting/checkbox" to enable requesting PATs with only the required scopes?