Azure DevOps Git Authentication With PAT on Linux
With Microsoft’s new direction of cross platform tools and technologies such as Visual Studio Code and .Net Core, I’ve found myself developing on Linux (Ubuntu in particular) more and more common, both at home and at Costa (Other Coffee Shops are available)!
I use Azure DevOps Server (Previously Team FFoundation Server/TFS) for source control and continuous integration/continuous deployment and have been a big fan of Git for a long time! I’ve always found Git easier to work with over SSH on linux as opposed to HTTPS due to certificate issues (Self Signed and/or private Certificate Authority), however, working both inside and outside of the network is alot easier using a proxy server as opposed to opening known ports, therefore, as with most things, the inconvenience became annoying enough for me to want to sort it out.
One of the most annoyances I found with switching from SSH to HTTPS with Azure DevOps was the authentication, or more accurately the lack of documentation Microsoft have on authenticating to Azure DevOps Git over HTTPS.
Spoiler Alert: It is actually possible to Authenticate over HTTPS, clearly the documentation department just assumed SSH was fine!
In order to authenticate with Azure DevOps Git you need to configure Git to send a custom HTTP header, this is done as follows:
-
Generate yourself a PAT (Personal Access Token) (See Reference 1)
-
Base64 encode the PAT login details to be sent in the HTTP headers:
- Format:
<Username>:<PAT>
where<username>
can be anything as it’s ignored, including nothing at all. Note: Replace the whole token including the < > - CLI command to get the Base64 format (not no username being passed in my instance)
echo -n ":<PAT>" | openssl base64 | tr -d '\n'
- Format:
-
Copy the Base64 Value from the above step
-
Edit your Git configuration:
git config --global --edit
-
Enter the following:
[http "<Server Base Url>"] extraHeader = "Authorization: Basic <Base64 value from above>"
-
Save you new configuration
-
Now when you use git commands you will NOT be prompted to authenticate, similar to the experience you would expect when using SSH Keys.
Security Warning The above steps configure Git at the global level for an entire server, I’m opting for globally as I have a number of repositories on Azure DevOps and I don’t want to configure them all individually, but if you are following this guide for a shared service I would recommend doing this at the repository level using the *FULL repository URL instead of the servers Base Url above to ensure your PAT never gets sent to a repository you don’t trust.
_Note: The maximum lifetime for Azure DevOps PAT tokens is 90 days, therefore you will need to edit the configuration every 90 days. Annoying, but good for security reasons.