Authentication through Personal Access Token creates organisational coupling #500
Description
Currently, the only documented way to use this library is to authenticate with a Personal Access Token.
This seems wrong, as:
- From what I know about them, Personal Access Tokens are associated to human accounts
This means an application access to an Azure DevOps instance is tightly coupled to the existence of a human person in an organisation, which means applications access will break depending on other life cycles. - Personal Access Token also require an expiration date, meaning applications access will break regularly, forcing some manual (human) extra credentials management on top of, and separate from, the one associated with the parent account.
Is there a plan to support other kinds of authentication scheme with Azure DevOps (Server)?
One could think of an OAuth2 process, for instance, allowing different flows:
- H2M, much like what is achieved through PAT, without any extra (token, on top of account), manual, token lifecycle management
- M2M which would allow managing applications-specific secrets
Both flow isolate authentication of the application from any other organisational resource, and allow delegation of authorisation and grants lifecycle to a dedicated, potentially automated third-party.