Skip to content

Add SPS endpoint allowlist and secure probe client#672

Merged
embetten merged 7 commits into
masterfrom
users/embetten/sps-allowlist
Apr 30, 2026
Merged

Add SPS endpoint allowlist and secure probe client#672
embetten merged 7 commits into
masterfrom
users/embetten/sps-allowlist

Conversation

@embetten

@embetten embetten commented Apr 27, 2026

Copy link
Copy Markdown
Contributor

This PR tightens how the credential provider handles discovery and token exchange as part of ongoing Entra identity hardening:

  • Credentialless probe client: Introduced HttpClientFactory.Probe, a dedicated HttpClient for discovery requests that does not set UseDefaultCredentials. This ensures Windows Integrated Authentication credentials are not sent when probing unknown endpoints for Azure DevOps headers.

  • HTTPS-only probing: Unknown hosts are now only probed over HTTPS. HTTP endpoints that aren't in the known hosts list are immediately treated as external without making a network call.

  • SPS endpoint allowlist: Added validation of the X-VSS-AuthorizationEndpoint header value before exchanging bearer tokens. The endpoint must match a known Azure DevOps SPS hostname (e.g., *.vssps.visualstudio.com, vssps.dev.azure.com). This prevents session token exchange against unexpected endpoints.

Testing:

258 unit tests passing (including 19 new tests for SPS allowlist validation)
Integration tested against a live Azure DevOps feed across all three target frameworks (net481, net6.0, net8.0) with broker, no-broker, and Entra token opt-in configurations

embetten
embetten commented Apr 27, 2026
View reviewed changes
Comment thread CredentialProvider.Microsoft/CredentialProviders/Vsts/VstsSessionTokenClient.cs Outdated
@embetten embetten marked this pull request as ready for review April 28, 2026 17:56
embetten added 3 commits April 29, 2026 09:32
@embetten
Add vssps.codedev.ms to SPS allowlist and fail fast on untrusted endp…
bf33fda 
…oint

- Add exact host 'vssps.codedev.ms' to AllowedSpsHosts so codedev PPE
  feeds can successfully exchange bearer tokens for session tokens
- Replace silent null return on untrusted SPS endpoint with an
  UntrustedSpsEndpointException so the credential provider exits
  immediately instead of falling through to device-code polling
- Add unit test for fail-fast behavior when SPS endpoint is untrusted
- Add unit test coverage for vssps.codedev.ms allowlist entry
@embetten
Add vssps.visualstudio.com exact match to SPS allowlist for symmetry …
7254a9c 
…with dev.azure.com
@embetten
Add missing SPS hosts to allowlist (PPE, staging, extended, AppFabric)
817b5df
cobya
cobya reviewed Apr 30, 2026
View reviewed changes
Comment thread CredentialProvider.Microsoft/CredentialProviders/Vsts/VstsSessionTokenClient.cs Outdated
@embetten embetten merged commit 31070be into master Apr 30, 2026
55 checks passed
@embetten embetten deleted the users/embetten/sps-allowlist branch April 30, 2026 22:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cobya cobya cobya approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@embetten @cobya