401 when calling Identities endpoint

[miszoPandy]

Describe the bug

Requests to resolve approvers don't work because the WebApi is reused and the PersonalAccessTokenHandler rejects cross domain calls.

Categorization

• This is not a permissions issue (Seek help at 403 error when Dependabot tries to create a pull request #1245)

We get 401 for the identities endpoint of azure devops. the same token works via postman and also is able to create pr-s via this task.

Repository
URL: e.g. https://dev.azure.com/tingle/dependabot/_git/repro-684

To Reproduce
Steps to reproduce the behavior:

1. Add any reviewers under the dependabot.yaml configuration.
2. Try to run the task
3. The task will fail with an error telling that the authentication failed against the ADO identities API

Expected behavior
A clear and concise description of what you expected to happen.
The personal access token should work against both the identities and the organization API

Logs and screenshots
If applicable, include relevant logs or screenshots to help explain your problem.
See extension troubleshooting for more on how to collect additional diagnostic logs.

Extension (please complete the following information):

• Host: Azure DevOps
• Version 2.x.x+ (latest)

Server (please complete the following information):

• Region [e.g. westeurope]
• Version 3.x.x+

Additional context
Add any other context about the problem here.

The problem problem probably originates from here

https://github.com/microsoft/typed-rest-client/blob/master/lib/handlers/personalaccesstoken.ts#L19

The origin is never specified so it becomes the host of the first request. Then because this task reuses the webapi client the origin will not match the host and the boolean for allowCrossOriginRequests is also false since it's an optional value and never specified by the task.
This means the auth header never gets added to the request when calling the identities endpoint here

dependabot-azure-devops/extension/tasks/dependabotV2/utils/azure-devops/AzureDevOpsWebApiClient.ts

Line 57 in a0d7902

public async resolveIdentityId(userNameEmailOrGroupName?: string): Promise<string | undefined> {

Possible fix:
Create two webapi clients, one for each host or allow crossdomain calls by enabling it when calling the authtokenhandler.

[miszoPandy]

happy to propose the fix once approved.

[rhyskoedijk]

@miszoPandy are you able to share the relevant parts of your dependabot.yml and task out logs (with System.Debug = true). I'm curious to know how you've configured the reviewers/assignee's and what the HTTP request/response looks like as I am not able to reproduce this issue. I am able to resolve identities from username, email, and group without any cross domain errors.

Are you using Azure DevOps (cloud) or Azure DevOps Server (on-prem)?

If you know how to reproduce and fix it, a PR is welcome.

[miszoPandy]

We are using Azure Devops cloud.

The config looks sometihng like this.

I don't have time now to further debug this unfortunately

version: 2
registries:
  azure-artifacts:
    type: nuget-feed
    key: "feed"
    url: "https://package-path"
    token: PAT:${{ AZURE_ACCESS_TOKEN }}
updates:
  - package-ecosystem: "nuget"
    directories: [ '/folder/*' ]
    allow:
      - dependency-name: "Depy"
    target-branch: main
    registries:
      - azure-artifacts
    schedule:
      interval: "daily"
    commit-message:
      prefix: "version upgrade"
    open-pull-requests-limit: 5
    reviewers:
      - "[email protected]"