Proposal: Enhance Authentication Mechanism to Replace PATs with Cryptographically Secure Alternatives

[alishirazi92]

I’d like to raise a few concerns and suggestions regarding the current authentication mechanism being used for publishing extensions:

1. Current Approach: At the moment, authentication relies on Personal Access Tokens (PATs), which are commonly injected via environment variables or stored securely in CI/CD pipelines. While practical, PATs don’t offer sender-level cryptographic assurances, which poses a risk if they’re ever exposed or intercepted.

2. Token Lifespan: Both OAuth and PATs typically have expiration periods ranging from a week to several months—or remain valid indefinitely in some legacy cases. This variability adds to the challenge of maintaining secure, long-term access.

3. Potential Improvement: We’re interested in exploring stronger, cryptographically backed authentication alternatives. This could include secure key management solutions or an OAuth 2.0 flow that leverages client-side certificates for added protection.

[Neelima10735584]

Thank you for contacting the VS Marketplace Support Team and creating your request. We will review it and follow up to determine the best way to address it.

Regards,
VS Marketplace Team

[GABRIELNGBTUC]

I think the current options are fine as they are.

PATs may not be secure but it is already possible Entra ID bearer tokens which have a lifespan of at most 1 hour to publish extensions.

You can also add Azure DevOps service principals as users to your Azure DevOps organization that is linked to your publisher and then add said service principal as a member of your publisher.

From there you can use secret, certificate, client assertion, workload identity, ... auth to retrieve your access token and publish from any CI/CD environment without having PATs lying around.