Service endpoint authentication schemes

Azure DevOps Services | Azure DevOps Server 2020 | Azure DevOps Server 2019 | TFS 2018 - TFS 2017

For Azure DevOps and TFS to be able to connect to the external service, in addition to using the credentials, there's also need to know how to set the credentials in the HTTP request header when calling the external endpoint. Azure DevOps supports a closed set of authentication schemes that can be utilized by a custom service endpoint type. This set is closed so that Azure DevOps would be able to interpret the authentication scheme used in any custom endpoint & support connecting to the external service.

See the following authentication schemes that are part of the closed set.

Tip

Check out our newest documentation on extension development using the Azure DevOps Extension SDK.

Basic authentication

This scheme takes 2 inputs - Username & Password (confidential)

Default authentication header used is: "Basic {{ #base64 endpoint.username ":" endpoint.password }}"

{
    "id": "endpoint-auth-scheme-basic",
    "description": "Basic Authentication based endpoint authentication scheme",
    "type": "ms.vss-endpoint.service-endpoint-type",
    "targets": [
        "ms.vss-endpoint.endpoint-types"
    ],
    "properties": {
        "name": "UsernamePassword",
        "displayName": "i18n:Basic Authentication",
        "authenticationSchemes": [
            {
                "type": "ms.vss-endpoint.endpoint-auth-scheme-basic",
                "headers": [
                    {
                        "name": "Authorization",
                        "value": "Basic {{ #base64 endpoint.username \":\" endpoint.password }}"
                    }
                ],
                "inputDescriptors": [
                    {
                        "id": "username",
                        "name": "i18n:Username",
                        "description": "i18n:Username for connecting to the endpoint",
                        "inputMode": "textbox",
                        "isConfidential": false,
                        "validation": {
                            "isRequired": true,
                            "dataType": "string",
                             "maxLength": 300
                        }
                    },
                    {   
                        "id": "password",
                        "name": "i18n:Password",
                        "description": "i18n:Password for connecting to the endpoint",
                        "inputMode": "passwordbox",
                        "isConfidential": true,
                        "validation": {
                            "isRequired": true,
                            "dataType": "string",
                            "maxLength": 300
                        }
                    }
                ]
            }
        ]
    }
}

Token based authentication

This scheme takes 1 input - API Token (confidential)

Default authentication header used is: {{endpoint.apitoken}}

{
    "id": "endpoint-auth-scheme-token",
    "description": "i18n:Token based endpoint authentication scheme",
    "type": "ms.vss-endpoint.service-endpoint-type",
    "targets": [
        "ms.vss-endpoint.endpoint-types"
    ],
    "properties": {
        "name": "Token",
        "displayName": "i18n:Token Based Authentication",
        "authenticationSchemes": [
            {
                "type": "ms.vss-endpoint.endpoint-auth-scheme-token",
                "headers": [
                    {
                        "name": "Authorization",
                        "value": "{{endpoint.apitoken}}"
                    }
                ],
                "inputDescriptors": [
                    {
                        "id": "apitoken",
                        "name": "i18n:API Token",
                        "description": "i18n:API Token for connection to endpoint",
                        "inputMode": "textbox",
                        "isConfidential": true,
                        "validation": {
                            "isRequired": true,
                            "dataType": "string",
                            "maxLength": 300
                        }
                    }
                ]
            }
        ]
    }
}

Certificate based authentication

This scheme takes 1 input - Certificate (confidential)

The value of certificate has to be provided in the text area.

{
    "id": "endpoint-auth-scheme-cert",
    "description": "i18n:Creates a certificate-based endpoint authentication scheme",
    "type": "ms.vss-endpoint.service-endpoint-type",
    "targets": [
        "ms.vss-endpoint.endpoint-types"
    ],
    "properties": {
        "name": "Certificate",
        "displayName": "i18n:Certificate Based",
        "authenticationSchemes": [
            {
                "type": "ms.vss-endpoint.endpoint-auth-scheme-cert",
                "inputDescriptors": [
                    {
                        "id": "certificate",
                        "name": "i18n:Certificate",
                        "description": "Content of the certificate",
                        "inputMode": "TextArea",
                        "isConfidential": true,
                        "validation": {
                            "isRequired": true,
                            "dataType": "string"
                        }
                    }
                ]
            }
        ]
    }
}

No authentication

This scheme is used when an endpoint type doesn't require to take any input. For e.g. external services that support anonymous access to its resources.

{
    "id": "endpoint-auth-scheme-none",
    "description": "i18n:Creates an endpoint authentication scheme with no authentication.",
    "type": "ms.vss-endpoint.service-endpoint-auth-scheme-none",
    "targets": [
        "ms.vss-endpoint.endpoint-auth-schemes"
    ],
    "properties": {
        "name": "None",
        "displayName": "i18n:No Authentication"
    }
}