Unable to login using Personal Access Token

[ssbarnea]

I created a publisher named zbr and manually uploaded my extension to it but it seams impossible to setup the CLI vsce for publishing as one. Based on what I read on microsoft/vscode-vsce#507 i believe I am not the only one confused by the weird authentication setup.

My account sorin.sbarnea@gmail.com is listed as owner of zbr publisher and I tried generating a PAT from https://dev.azure.com/sorinsbarnea/_usersSettings/tokens but it does not work when I try to use it to login using vsce, I always get Failed request: (401).

The page from https://marketplace.visualstudio.com/_apis/connectiondata does report something like:

{
"authenticatedUser": {
"id": "51559800-adb9-4df8-b696-062e0700bccc",
"descriptor": "Microsoft.IdentityModel.Claims.ClaimsIdentity;0003BFFD86989D58@Live.com",
"subjectDescriptor": "msa.MmYwYTg5NWEtYjVkMi03MzVmLTg3ZjMtODEzNjI2ZTEyMjNj",
"providerDisplayName": "Sorin Sbarnea",
"isActive": true,
"properties": {
"Account": {
"$type": "System.String",
"$value": "sorin.sbarnea@gmail.com"
}
},
"resourceVersion": 2,
"metaTypeId": 255
},
"authorizedUser": {
"id": "51559800-adb9-4df8-b696-062e0700bccc",
"descriptor": "Microsoft.IdentityModel.Claims.ClaimsIdentity;0003BFFD86989D58@Live.com",
"subjectDescriptor": "msa.[CENSORED]",
"providerDisplayName": "Sorin Sbarnea",
"isActive": true,
"properties": {
"Account": {
"$type": "System.String",
"$value": "sorin.sbarnea@gmail.com"
}
},
"resourceVersion": 2,
"metaTypeId": 255
},
"instanceId": "2663b13f-50e3-a655-a159-22f6f4725fab",
"deploymentId": "2663b13f-50e3-a655-a159-22f6f4725fab",
"deploymentType": "hosted",
"locationServiceData": {
"serviceOwner": "00000029-0000-8888-8000-000000000000",
"defaultAccessMappingMoniker": "PublicAccessMapping",
"lastChangeId": 71900,
"lastChangeId64": 71900
}
}

Update

After generating full access to all organizations on my PAT, the error message changed from 401 into:

 ERROR  Access Denied: Microsoft.IdentityModel.Claims.ClaimsIdentity;3c44d198-864f-4224-bf6d-da60d60fe01d\sorin.sbarnea@gmail.com needs the following permission(s) on the resource /zbr to perform this action: View user permissions on a resource
Time: 0h:00m:03s

I am not sure what this means, but somehow I feel that the dev.azure.com user is different than the one used by the marketplace. At the same time the system fails to give any hints regarding the the kind of magic required to authenticate on dev.azure.com using exactly the same user.

If I try to access the directory switch option, I can see:

Switch to another directory

You are currently connected to the pycontribs Azure Active directory. Select a directory.
Current directory
pycontribs
pycontribs.onmicrosoft.com
3c44d198-864f-4224-bf6d-da60d60fe01d
Directories
Microsoft
19d5f71f-6c9a-4e7f-b629-2b0c38f2b167
Default Directory
9e952b40-c064-4d13-be06-e9490f7ff438
Microsoft Account
sorin.sbarnea@gmail.com

Still, this does not tell me which kind of directory I am support to use

[joaomoreno]

cc @prashantvc

[mayankmaheshwari18]

@ssbarnea Could you please confirm you followed the following steps to create PAT token?

1. Click on the email Id and then it will navigate to all the organizations you are part of.

2. If you have a publisher with name "X", you need not necessarily have an organization with name "X".
   For publishing/managing an extension, you can create a PAT token with any of the organization to manage the extension.

[ssbarnea]

I was able to get a token working but only after using the BFG of generating one with full access to all organizations. The reality is that that current process for generating tokens for publishing to the marketplace is a huge PITA.

The UI is confusing and cryptic, I would not exaggerate to say that this was the worst authentication experience I encountered in two decades.

Please fix this once for good by adding an option in the marketplace UI to generate a token. As you already removed the ability to create organizations from the command line, it would make sense to at least generate tokens from browser on the manage publisher/extension page, without redirecting user to other systems.

I hope you will take this ticket as "constructive feedback" and not personal. If a product manager ever reads this ask him to make an user test experiment: ask someone that never used azure devops or published a vscode extension publish one generated with the vsce tool. Do not forget to start a timer ;) -- IMHO, it should take less than 10 mins in average, not hours or days of frustrations and cryptic error messages. I know that this is not really caused by "vsce" itself at a tool, but more of the backend issue (marketplace).

[prashantvc]

Hey @ssbarnea, I agree with everything you said about the generating the token. We are experimenting different options, and I would love to get your feedback. Please pick a time here https://book.ms/prchol@microsoft.com, we can chat about it :)

[robole]

@prashantvc I had this problem also. I resorted to using the website to manage my extensions instead for a long while.

I had another go because I wanted to use Github Actions to do this. It was only after reading this issue that I got it working by generating a token with all orgs and all permissions. It was on 4th attempt that it worked!

[dustsucker]

I have exactly the same Problem I get a
ERROR The Personal Access Token verification has failed. Additional information: Error: Failed request: (401)

I tried recreating the token and even tried with a full access token it didn't work, the same error. I tried it 8 times with new tokens and vsce installations. Within GitHub Actions It's the same Problem/ It just fails.

[boyswan]

One of the worst and most frustrating journeys, I've been sitting on this issue for years. Still can't get into my VSCE and update my package...

[sjimenez77]

I can only publish from one computer. When I try to vsce login from another I always get a 401 error. Even if I try to login in the working one, when I am prompted if I want to overwrite the local PAT and I provide the token I get the same 401 error. I cannot understand what happens.