通常，当您希望应用程序代表调用用户与 Azure DevOps API 通信而无需提示输入用户名时，您会使用 REST API 使用 oAuth和密码每次.为此，用户需要授权应用程序代表他们与 Azure DevOps API 通信.

Typically you'd use the REST API using oAuth when you want your application to communicate with Azure DevOps API on behalf of the calling user without having to prompt for usernames and passwords each time. To do this, the user will need to authorize the application to communicate to the Azure DevOps API on their behalf.

以下页面很好地概述了此过程.

在高层次上，您调用授权"端点并提供回调.回调必须是您应用程序中的安全网址 (https):

At a high-level, you call the "authorize" endpoint and provide a callback. The callback must be a secure url (https) in your application:

https://app.vssps.visualstudio.com/oauth2/authorize
    ?client_id={app ID}
    &response_type=Assertion
    &state={state}
    &scope={scope}
    &redirect_uri={callback URL}

假设用户接受授权，Azure DevOps 会使用 URL 中的授权代码重定向到您的回调位置.

Assuming the user accepts the authorization, Azure DevOps redirects to your callback location with the authorization code in the URL.

https://fabrikam.azurewebsites.net/myapp/oauth-callback
    ?code={authorization code}
    &state={state}

获取访问令牌

现在您的应用程序已获得授权，您需要获取访问令牌:

Obtain an Access Token

Now that your application is authorized, you need to obtain an access token:

POST https://app.vssps.visualstudio.com/oauth2/token

application/x-www-form-urlencoded 表单具有以下正文，其中包含您创建应用程序时的应用程序机密、用户授权您的应用程序时刚刚收到的授权代码，以及安全回调.

The application/x-www-form-urlencoded form has the following body with the application secret when you created the application, the authorization code you just received when the user authorized your app, and the secure callback.

public string GenerateRequestPostData(string appSecret, string authCode, string callbackUrl)
{
   return String.Format("client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion={0}&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion={1}&redirect_uri={2}",
           HttpUtility.UrlEncode(appSecret),
           HttpUtility.UrlEncode(authCode),
           callbackUrl
    );
}

响应将在 JSON 响应中包含访问令牌.

The response will contain the access token in the JSON response.

{
   "access_token": { access token for the user },
   "token_type": { type of token },
   "expires_in": { time in seconds that the token remains valid },
   "refresh_token": { refresh token to use to acquire a new access token }
}

请注意，令牌不是永久性的，可能需要刷新.

Note that the token isn't permanent and may need to be refreshed.

最后，现在您有了一个用户访问令牌，您可以将它包含在您向服务器发出的请求中的 Authorization 标头中.

Lastly, now that you have a user-access token, you can include it in the Authorization header in your requests to the server.

GET https://dev.azure.com/myaccount/myproject/_apis/build-release/builds?api-version=3.0
Authorization: Bearer {access_token}

例如:

httpClient.DefaultRequestHeaders.Authorization =
   new AuthenticationHeaderValue("Bearer", "{access_token}");

如果您没有使用专用应用程序，而只想使用您控制的凭据查询 API -- 使用个人访问令牌，因为它更容易:

If you're not using a dedicated application and you just want to query the API with credentials you control -- use a Personal Access Token, as it's a lot easier:

httpClient.DefaultRequestHeaders.Authorization =
   new AuthenticationHeaderValue("Basic {base-64-encoded-string of username:PAT}");