通常，当您希望应用程序代表调用用户与Azure DevOps API进行通信而无需提示用户名时，可以使用使用oAuth的REST API和每次输入密码.为此，用户将需要授权应用程序以代表他们与Azure DevOps API通信.

Typically you'd use the REST API using oAuth when you want your application to communicate with Azure DevOps API on behalf of the calling user without having to prompt for usernames and passwords each time. To do this, the user will need to authorize the application to communicate to the Azure DevOps API on their behalf.

在高层，您调用授权"端点并提供回调.回调必须是您应用程序中的安全网址(https):

At a high-level, you call the "authorize" endpoint and provide a callback. The callback must be a secure url (https) in your application:

https://app.vssps.visualstudio.com/oauth2/authorize
    ?client_id={app ID}
    &response_type=Assertion
    &state={state}
    &scope={scope}
    &redirect_uri={callback URL}

假设用户接受授权，Azure DevOps将使用URL中的授权代码重定向到您的回调位置.

Assuming the user accepts the authorization, Azure DevOps redirects to your callback location with the authorization code in the URL.

https://fabrikam.azurewebsites.net/myapp/oauth-callback
    ?code={authorization code}
    &state={state}

获取访问令牌

现在您的应用程序已被授权，您需要获取访问令牌:

Obtain an Access Token

Now that your application is authorized, you need to obtain an access token:

POST https://app.vssps.visualstudio.com/oauth2/token

application/x-www-form-urlencoded表单具有以下主体，其中包含创建应用程序时的应用程序密码，用户授权应用程序时刚收到的授权代码以及安全回调.

The application/x-www-form-urlencoded form has the following body with the application secret when you created the application, the authorization code you just received when the user authorized your app, and the secure callback.

public string GenerateRequestPostData(string appSecret, string authCode, string callbackUrl)
{
   return String.Format("client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion={0}&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion={1}&redirect_uri={2}",
           HttpUtility.UrlEncode(appSecret),
           HttpUtility.UrlEncode(authCode),
           callbackUrl
    );
}

响应将在JSON响应中包含访问令牌.

The response will contain the access token in the JSON response.

{
   "access_token": { access token for the user },
   "token_type": { type of token },
   "expires_in": { time in seconds that the token remains valid },
   "refresh_token": { refresh token to use to acquire a new access token }
}

请注意，令牌不是永久令牌，可能需要刷新.

Note that the token isn't permanent and may need to be refreshed.

最后，现在您有了用户访问令牌，可以将其包含在对服务器的请求中的授权"标头中.

Lastly, now that you have a user-access token, you can include it in the Authorization header in your requests to the server.

GET https://dev.azure.com/myaccount/myproject/_apis/build-release/builds?api-version=3.0
Authorization: Bearer {access_token}

例如:

httpClient.DefaultRequestHeaders.Authorization =
   new AuthenticationHeaderValue("Bearer", "{access_token}");

如果您不使用专用的应用程序，而只想使用自己控制的凭据查询API，请使用个人访问令牌，因为它很容易:

If you're not using a dedicated application and you just want to query the API with credentials you control -- use a Personal Access Token, as it's a lot easier:

httpClient.DefaultRequestHeaders.Authorization =
   new AuthenticationHeaderValue("Basic {base-64-encoded-string of username:PAT}");