azrepos: fall back to OAuth when org DisablePatCreationPolicyViolation policy is set#2346
Open
p00j4 wants to merge 1 commit into
Open
Conversation
When an Azure DevOps organization has disabled PAT creation via the DisablePatCreationPolicyViolation policy, GCM previously surfaced a raw fatal error with no guidance. This change catches that specific error, falls back to OAuth for the current invocation, and prints a clear warning with the exact git config command needed to make OAuth permanent. A `_forcedOAuth` instance flag ensures that StoreCredentialAsync and EraseCredentialAsync use the OAuth path consistently within the same process, working around the Settings cache which is populated once per invocation. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
mr-otmarg
reviewed
May 19, 2026
|
|
||
| return new GetCredentialResult(credential); | ||
| } | ||
| else |
There was a problem hiding this comment.
when removing this else you should clean up curly braces also or just leave the else.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When an Azure DevOps organization disables PAT creation via policy, GCM surfaces a raw fatal error with no recovery path:
The user has no indication what to do. The documented fix (
git config --global credential.azreposCredentialType oauth) is buried in docs.The reason is, after installing the Extension and trying to clone a repo, it ends-up creating teh PAT with "package" only permissions because the org's default PAT creation policy is been disabled. And it's not there in the default allowed list (AZDO PAT Allowlist - CORP Tenant - SERVICE ACCOUNTS ONLY)
Fix/WorkAround
In
AzureReposHostProvider.GetCredentialAsync, wrap PAT creation in acatchthat recognizes theDisablePatCreationPolicyViolationerror and:git configcommand to make it permanentA
_forcedOAuthinstance flag propagates the fallback toStoreCredentialAsyncandEraseCredentialAsyncwithin the same process (necessary becauseSettingscaches git config entries on first read and won't pick up a disk write mid-invocation).Deliberately not done: auto-writing
credential.azreposCredentialType = oauthto global git config — that setting affects all Azure DevOps orgs, not just the one with the policy, which would be too broad.User experience after this change
The clone then succeeds via OAuth without any user action needed for that invocation.
Test plan
DisablePatCreationPolicyViolationpolicy — should fall back to OAuth and print the hintgit configcommand, subsequent clones go directly to OAuth (no policy call at all)