Private Azure Artifacts - Dependabot::PrivateSourceAuthenticationFailure

[themightyjohn]

When using privately hosted nuget packages stored in Azure Artifacts you receive a 401 Dependabot::PrivateSourceAuthenticationFailure.

I am using an Azure Pipeline yaml with private Nugets hosted in Azure Artifacts and the tinglesoftware/dependabot-azure-devops which uses both the dependabot-script and dependabot-core libraries.

Basically there is an IF statement where it switches between Bearer and Basic auth depending if it finds a ":" character in the token string (when you have username and password auth). Azure Artifacts uses a single token for just the user (no password required as its a PAT token) and requires "Basic" authentication, but the IF statement forces it to use "Bearer" method.

dependabot-core/nuget/lib/dependabot/nuget/update_checker/repository_finder.rb

Lines 258 to 268 in 82906a9

	def auth_header_for_token(token)
	return {} unless token
	if token.include?(":")
	encoded_token = Base64.encode64(token).delete("\n")
	{ "Authorization" => "Basic #{encoded_token}" }
	elsif Base64.decode64(token).ascii_only? &&
	Base64.decode64(token).include?(":")
	{ "Authorization" => "Basic #{token.delete("\n")}" }
	else
	{ "Authorization" => "Bearer #{token}" }

The problem you face here in the dependabot-core library is that the PAT token and "Bearer" auth works fine for dev.azure.com (used for Azure DevOps/GIT api stuff) but for pkgs.dev.azure.com (Nugets, etc) I believe you need to use "Basic" auth.

In the tinglesoftware/dependabot-azure-devops repo you can specify extra credentials for other feeds (which I'm not sure you can do directly here?) and to work around the issue you can add a ":" to the end of the pat token which forces it down the "Basic" auth route. See my comment here:

• Can't auth with PAT to private feed in azure devops tinglesoftware/dependabot-azure-devops#50

Not sure if this belongs in the dependabot-core, dependabot-script or somewhere else and I'm not a ruby / dependabot dev so I'm not sure I'm best placed to provide an actual solution.. but I imagine with the Dependabot->Github->Microsoft connection this could be a nice win if it gets fixed!

Hope this helps!

[huserben]

To add to what @themightyjohn described, I believe it's a general problem with Azure Artifacts and authentication using a Personal Access Token.
We're using on top of the nuget feed also a npm feed hosted on Azure Artifacts, and the same behaviour can be observed. Once we're adding a ":" at the end it works fine.

I think the line in question would be:

dependabot-core/npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb

Line 312 in 9308874

return unless decoded_token.include?(":")

My guess is that it probably behaves the same for Maven/pip when we use Azure Artifacts to host (but I can't confirm as we're not using it).

Also I'm not sure if this is worth changing somehow (or if it's even possible in a smart way) - once one is aware of the problem it's easy to deal with.

[vidarkongsli]

I can confirm that the same problem exists with Maven:

The following source could not be reached as it requires authentication (and any provided details were invalid or lacked the required permissions): https://pkgs.dev.azure.com/organizationname/projectid/_packaging/feedname/maven/v1 (Dependabot::PrivateSourceAuthenticationFailure)

[mick-feller]

To add to what @themightyjohn described, I believe it's a general problem with Azure Artifacts and authentication using a Personal Access Token. We're using on top of the nuget feed also a npm feed hosted on Azure Artifacts, and the same behaviour can be observed. Once we're adding a ":" at the end it works fine.

I think the line in question would be 312 in latest_version_finder.rb

My guess is that it probably behaves the same for Maven/pip when we use Azure Artifacts to host (but I can't confirm as we're not using it).

Also I'm not sure if this is worth changing somehow (or if it's even possible in a smart way) - once one is aware of the problem it's easy to deal with.

How did you ever connect to NPM in Azure Artifacts with the dependabot in github?

I've added this:

registries:
  npm-azure:
    type: npm-registry
    url: https://pkgs.dev.azure.com/<feed>/_packaging/<feed>/npm/registry/
    token: ${{secrets.AZURE_SECRET}}:

And tried a ton of different combinations but i can't get it to work. Do i use the token straight after creating it in Azure, or do i follow step 3 and base64 encode it before adding it to the dependabot secret? I tried everything but i can not get it to work.

[dhensby]

Just to add my experience here, I managed to get integration with Azure Artefacts working with NPM using the following config:

# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates

version: 2
updates:
  - package-ecosystem: "npm" # See documentation for possible values
    directory: "/" # Location of package manifests
    registries:
      - npm-devops
    schedule:
      interval: "daily"
registries:
  npm-devops:
    type: npm-registry
    url: https://pkgs.dev.azure.com/<org>/<id>/_packaging/<feed-name>/npm/registry/
    username: <org>
    password: ${{secrets.DEVOPS_PAT}} # this is the non-base64 encoded PAT

Where the "connect to feed" instructions in DevOps show this as what goes into .npmrc

registry=https://pkgs.dev.azure.com/<org>/<id>/_packaging/<feed-name>/npm/registry/ 
                        
always-auth=true

This works for me and I get dependabot PRs for the private dependencies.

[joshjohanning]

How did you ever connect to NPM in Azure Artifacts with the dependabot in github?

I've added this:

registries:
  npm-azure:
    type: npm-registry
    url: https://pkgs.dev.azure.com/<feed>/_packaging/<feed>/npm/registry/
    token: ${{secrets.AZURE_SECRET}}:

And tried a ton of different combinations but i can't get it to work. Do i use the token straight after creating it in Azure, or do i follow step 3 and base64 encode it before adding it to the dependabot secret? I tried everything but i can not get it to work.

You might need to use quotes around the token value, since the : is otherwise trying to create a YML map.

ie:

token: '${{secrets.AZURE_SECRET}}:'

But I agree with @dhensby, just use username and password.

[jeffwidman]

I looked at this some more, and I don't honestly see a clean way we can figure this out here in Dependabot. The idiomatic thing when given a token is to assume Bearer Auth so that's what we do unless we see that : indicating it's likely a username/password combo and to fallback to basic auth.

This is generic token processing code used not only for Azure, but also other repository hosts, and yet Azure Artifacts seems to be the only host we're getting complaints about them providing a PAT but then not supporting Bearer Auth.

@joshjohanning very nicely fixed up the Dependabot docs in github/docs#20617 to demonstrate how to force Basic Auth by using username/password rather than token.

Ideally this gets fixed upstream in Azure for them to support Bearer auth for PATs, so I'm going to reach out to them to get this on their radar.

Beyond that, I don't think there's anything further we can do here in Dependabot, so I'm going to close this as "wontfix" since it's an upstream issue.

Thanks again to everyone who chimed in with workarounds.

[dhensby]

Just to point out that I don't think this is a bug at all anyway. Azure Devops is calling application passwords "tokens", so that throws people off thinking they would use it as an NPM token, but when used as a password (which it is) it then works because their NPM implementation doesn't support token based auth.

[RangerChris]

For people like who finds this in an attempt to make it work. It works, try something like this

version: 2
registries:
  my-nuget-feed:
    type: nuget-feed
    url: https://myorg.pkgs.visualstudio.com/_packaging/Main/nuget/v3/index.json
    token: PAT:<paste.token-here>

The other very important thing: when you create the token in AzureDevOps, give full access. I know it's bad practice, but feel free to post what permissions you set to make it work. Right now I just needed it a proof of concept.