Paket: Use of private VSTS Feed with a Azure AD

Created on 31 Jan 2018  Â·  11Comments  Â·  Source: fsprojects/Paket

Description

We have visual studio solutions that we want to migrate to VSTS.
These solutions use paket instead of nuget, and it work well today in our environment.

When we use paket inside a VSTS Build, paket do restore only packages from nuget.org.
But, these that come from a private VSTS nuget Feed are not resolved.

If I call paket restore from my dev machine, I have the same problem : only nuget are restored.
The attached file show the log in verbose mode for paket restore
paket-error.txt
(I have replace the real vsts name by xxxxx)

For information, this is a corporate VSTS, that need a CredentialProvider.VSS.exe when a nuget.exe (that works well).

Repro steps

paket restore on a VSTS private feed, which need a nuget credential provider (if used)

Known workarounds

no workarround for the moment

bug credentials

Most helpful comment

I got it !!!
Solution (from the handyman :) ) :

  1. Call the Microsoft Tool that come with our nuget.exe (downloaded from VSTS account) with my creds.
    CredentialProvider.VSS.exe with -Url https://xxxxxxxx.pkgs.visualstudio.com/_packaging/G2DevTeam/nuget/v3/index.json

The return is a json that contains a username and a >800 char's password (temporary??)

  1. Call paket config url with the provided username and password

  2. Call restore

And it works !

So, I'm gonna develop a tool that will do the job before the call of paket...

Is it possible to add the support of that kind of Credential Provider directly in paket ?

All 11 comments

Complement : I have use Fiddler to watch the calls, and we can see that paket use the v2 api (instead of the v3 provided), and a lot of 401 Httpcode when calling
GET /_packaging/G2DevTeam/nuget/v2/Packages(Id='OneOfOutPackage',Version='2.0.0.4091') HTTP/1.1

I think @isaacabraham uses it with vsts. It's definitely working. Can you
please show the source url that you are using? Maybe you use wrong url

Am 31.01.2018 18:00 schrieb "Benjamin DV" notifications@github.com:

Complement : I have use Fiddler to watch the calls, and we can see that
paket use the v2 api (instead of the v3 provided), and a lot of 401
Httpcode when calling
GET /_packaging/G2DevTeam/nuget/v2/Packages(Id='
OneOfOutPackage',Version='2.0.0.4091') HTTP/1.1

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/fsprojects/Paket/issues/3021#issuecomment-361998733,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AADgNGDhybdiWuH11EMO5bKc2SrXhDIdks5tQJw5gaJpZM4R0TjW
.

Thanks for your answer,
Here is the url https://xxxxxxxx.pkgs.visualstudio.com/_packaging/G2DevTeam/nuget/v3/index.json

Remember that it is an enterprise vsts managed by an azure ad , and need a credential provider, provided by ms.

What do you mean by "corporate" VSTS? VSTS as I know it is a software service provided by MS.

MS allows entreprise to use an Active Directory on Azure linked to the VSTS, so that, we can have a full SSO env. In that kind of hybrid cloud, MS provide a solution to authenticate the users on VSTS, because, we authenticate with AD credentials.
This solution is given with nuget.exe as a credential provider.
https://docs.microsoft.com/fr-fr/nuget/reference/extensibility/nuget-credential-providers-for-visual-studio

So, to call the nuget private feed, the client app must be authenticated withit.
I think, this is why all paket calls raise http401 in fiddler

We have VSTS backed by our AD as well - I'm not sure that this is anything to do with the issue per se, but rather (as you're saying) the interaction between that and your private feed - essentially you need to pass through or impersonate your identity when running Paket, I think.

Thanks for your advise, gonna search in that direction,

In addition, in your case, when you login into VSTS, do you need to first fill login field with an email (that do not exists), to be redirected to your company windows authentication ?

I got it !!!
Solution (from the handyman :) ) :

  1. Call the Microsoft Tool that come with our nuget.exe (downloaded from VSTS account) with my creds.
    CredentialProvider.VSS.exe with -Url https://xxxxxxxx.pkgs.visualstudio.com/_packaging/G2DevTeam/nuget/v3/index.json

The return is a json that contains a username and a >800 char's password (temporary??)

  1. Call paket config url with the provided username and password

  2. Call restore

And it works !

So, I'm gonna develop a tool that will do the job before the call of paket...

Is it possible to add the support of that kind of Credential Provider directly in paket ?

Yes I think it would make sense to support credential providers the same way as nuget

@benjamin-devuyst, hello. I've tried my self and credentials manager does the trick (on the dev machine).

But I'm having problems with _PaketRestore_ task in Azure Pipelines.

I've also tried adding username:password@ to package source but paket cannot to authenticate. (The password is a Personal Access Token).

Do you know the correct way to do that?

Was this page helpful?
0 / 5 - 0 ratings

Related issues

Katulus picture Katulus  Â·  8Comments

haf picture haf  Â·  7Comments

palutz picture palutz  Â·  6Comments

matthid picture matthid  Â·  6Comments

enricosada picture enricosada  Â·  4Comments