berry: [Bug] Azure artifacts authentication
Describe the issue
Really not sure this is a bug; more like a support question. I am having trouble getting my Azure DevOps Artifacts npm registry working with berry. It works fine in v1, using the token from .npmrc, which is generated by Azure DevOps.
The “<server>:_password” field in the .npmrc is a base64 encoded Personal Access Token generated in Azure DevOps, and according to their documentation, the “:username” and “:email” field mean nothing. Documentation is found here
I have tried generating the auth token through their Artifact “Connect to feed” process, which generates the token for your .npmrc like this
; Treat this auth token like a password. Do not share it with anyone, including Microsoft support. This token expires on or before 10/10/2019.
; begin auth token
//pkgs.dev.azure.com/<organization>/_packaging/<artifact feed>/npm/registry/:username=<username removed. It was the name of my organization or feed... they are the same>
//pkgs.dev.azure.com/<organization>/_packaging/<artifact feed>/npm/registry/:_password=<password removed>
//pkgs.dev.azure.com/<organization>/_packaging/<artifact feed>/npm/registry/:email=npm requires email to be set but doesn't use the value
//pkgs.dev.azure.com/<organization>/_packaging/<artifact feed>/npm/:username=<username removed>
//pkgs.dev.azure.com/<organization>/_packaging/<artifact feed>/npm/:_password=<password removed>
//pkgs.dev.azure.com/<organization>/_packaging/<artifact feed>/npm/:email=npm requires email to be set but doesn't use the value
; end auth token
I also tried generating my own PAT, and base64 encoding it, for use in that “_password” field.
I used that “_password” field as the npmAuthToken
in my .yarnrc.yml, I’ve tried using it in the npmAuthIdent
in combination with the username from above, as <username>:<token>
. I’ve tried combining the <username>:<token>
into a base64 encoded string and including that in the npmAuthToken
. None of these work. I always get (401) Unauthorized
.
To Reproduce
You would need a module published in an Azure DevOps Artifacts registry.
My .yarnrc.yml is below, with the sensitive information redacted.
npmRegistries:
//pkgs.dev.azure.com/<organization>/_packaging/<azurefeed>/npm/registry:
npmAlwaysAuth: true
npmAuthToken: "<_password field from above>"
//pkgs.dev.azure.com/<organization>/_packaging/<azurefeed>/npm:
npmAlwaysAuth: true
npmAuthToken: "<_password field from above>"
npmScopes:
<org>:
npmRegistryServer: https://pkgs.dev.azure.com/<organization>/_packaging/<azurefeed>/npm/registry
Environment if relevant (please complete the following information):
- OS: Linux
- Node version: v12.6.0
- Yarn version: v2.0.0
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 2
- Comments: 20 (12 by maintainers)
For future readers - tldr: To connect to Azure Artifacts:
your-pat
is probably encoded as base64 in your~/.npmrc
file. You’ll need to decode it first. before re-encoding the key.To clarify this even more:
But in step 3.2, type:
Then your
.yarnrc.yml
should look like this (replace<...>
with your values):After you have this setup,
yarn npm info @scope/@mypackage
should work!I’ve tested this with yarn berry/v3.
Problem still exists, lacks of solution. Are we able to provide more details, any kind of yarnrc.yml as example?
for us the base64 encoding did not work, but having the <org>:<pat> in plain form in the npmAuthIdent did
I put a
console.log
in there, but it only reported anything during the resolution stage, and those are successful (return code 200). Then it fails during the fetch stage with the 400 error(Authentication information is not given in the correct format. Check the value of Authorization header.)
, and theconsole.log
doesn’t get hit at all. This is on my Windows machine at work.I will try this again on my Linux box tonight to get some logs for that
401 (Unauthorized)
error.I realized what I’ve been doing wrong with
npmAuthIdent
after replicating the process withcurl
.curl
, by default, base64 encodes the string that you pass to the-u
option. That made me realize that I’ve been encoding the fieldnpmAuthIdent
wrong this entire time. I have been encoding the PAT, but leaving the rest likeusername:<encoded PAT>
, which looking at now makes no sense. I had also tried encoding the entire string, but only after I had already encoded the PAT… 🙄So, after encoding
<username>:<raw PAT>
as base64, and putting that in thenpmAuthIdent
, I successfully authenticate with the server. So now I don’t need thenpmAuthToken
(which would be too complicated to get for use on my Linux box). However, I am still getting the400 (Authentication information is not given in the correct format. Check the value of Authorization header.)
error. I do think it is expecting an email field, even if it doesn’t mean anything.Here’s what I got from curl…
Where does an npm server usually expect to see the email address in the request? I can run that through curl, and if I am able to retrieve the tarball, we know that’s the problem.
THANK YOU @darthtrevino ! This just worked for me using github registry as well. Finally!
In case anyone else has a similar setup to me, we run all modules through our azure registry, so our shared .yarnrc.yml looked like this:
And then each dev can have their own $AZURE_ARTIFACTS_TOKEN in their PATH, and it’s easy to set the env var in a build