Configuring OAuth 2.0 for Microsoft Azure DevOps Services

To enable users to work with a remote Git repository that is hosted on Microsoft Azure Repos:

Set up the Microsoft Azure DevOps Services OAuth App (OAuth 2.0).
Apply the Microsoft Azure DevOps Services OAuth App Secret.

Setting up the Microsoft Azure DevOps Services OAuth App

Set up a Microsoft Azure DevOps Services OAuth App using OAuth 2.0.

Prerequisites

You are logged in to Microsoft Azure DevOps Services.

Third-party application access via OAuth is enabled for your organization. See Change application connection & security policies for your organization.
base64 is installed in the operating system you are using.

Procedure

Visit https://app.vsaex.visualstudio.com/app/register/.
Enter the following values:
1. Company name: Che
2. Application name: Che
3. Application website: https://<che_fqdn>/
4. Authorization callback URL: https://<che_fqdn>/api/oauth/callback
In Select Authorized scopes, select Code (read and write).
Click Create application.
Copy the App ID and encode it to Base64 for use when applying the Microsoft Azure DevOps Services OAuth App Secret:
```
$ echo -n '<microsoft_azure_devops_services_oauth_app_id>' | base64
```
Click Show to display the Client Secret.
Copy the Client Secret and encode it to Base64 for use when applying the Microsoft Azure DevOps Services OAuth App Secret:
```
$ echo -n '<microsoft_azure_devops_services_oauth_client_secret>' | base64 -w 0
```

Additional resources

Applying the Microsoft Azure DevOps Services OAuth App Secret

Prepare and apply the Microsoft Azure DevOps Services Secret.

Prerequisites

Setting up the Microsoft Azure DevOps Services OAuth App is completed.
The Base64-encoded values, which were generated when setting up the Microsoft Azure DevOps Services OAuth App, are prepared:
- App ID
- Client Secret
An active kubectl session with administrative permissions to the destination Kubernetes cluster. See Overview of kubectl.

Procedure

Prepare the Secret:

kind: Secret
apiVersion: v1
metadata:
  name: azure-devops-oauth-config
  namespace: eclipse-che(1)
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: oauth-scm-configuration
  annotations:
    che.eclipse.org/oauth-scm-server: azure-devops
type: Opaque
data:
  id: <Base64_Microsoft_Azure_DevOps_Services_OAuth_App_ID>(2)
  secret: <Base64_Microsoft_Azure_DevOps_Services_OAuth_Client_Secret>(3)

1	The Che namespace. The default is `eclipse-che`.
2	The Base64-encoded Microsoft Azure DevOps Services OAuth App ID.
3	The Base64-encoded Microsoft Azure DevOps Services OAuth Client Secret.

Apply the Secret:

$ kubectl apply -f - <<EOF
<Secret_prepared_in_the_previous_step>
EOF

Verify in the output that the Secret is created.
Wait for the rollout of the Che server components to be completed.