Skip to content

fix(azure): add azure devops http header (git clone & git fetch)#533

Closed
Shaoqi-Cen wants to merge 1 commit intosourcebot-dev:mainfrom
Shaoqi-Cen:azure_fix
Closed

fix(azure): add azure devops http header (git clone & git fetch)#533
Shaoqi-Cen wants to merge 1 commit intosourcebot-dev:mainfrom
Shaoqi-Cen:azure_fix

Conversation

@Shaoqi-Cen
Copy link

@Shaoqi-Cen Shaoqi-Cen commented Sep 22, 2025

Close #522
This PR updates git clone and git fetch commands to support Azure DevOps repositories requiring http.extraHeader authentication. Testing confirms successful cloning and fetching of Azure DevOps repositories using this header-based authentication method.

@msukkari
Copy link
Contributor

msukkari commented Sep 22, 2025

Thanks @Shaoqi-Cen will take a look. Out of curiosity could you help me understand which scenarios this is required vs. the current PAT system? In my testing I was able to clone and fetch repos from ADO cloud with the current implementation

@Shaoqi-Cen
Copy link
Author

Shaoqi-Cen commented Sep 23, 2025

Thanks @Shaoqi-Cen will take a look. Out of curiosity could you help me understand which scenarios this is required vs. the current PAT system? In my testing I was able to clone and fetch repos from ADO cloud with the current implementation

Thanks for confirming it works on ADO Cloud. After digging into our environment, we found the issue is environment-specific: our target Azure DevOps (behind IIS/with Windows auth enabled) advertises multiple auth schemes (WWW-Authenticate: Bearer, Basic, Negotiate, NTLM). When the PAT is embedded in the URL, Git/libcurl prefers NTLM over Basic; since PATs only work with Basic, the NTLM handshake fails and auth is rejected. Forcing Basic (by sending an explicit Authorization: Basic header) resolves the issue on our side.

So this change is required in environments where NTLM/Negotiate are enabled and prioritized (common on-prem or behind certain reverse proxies). In ADO Cloud, where Basic is effectively used, the current PAT flow continues to work. Thanks again for taking a look!

@msukkari
Copy link
Contributor

msukkari commented Sep 24, 2025

Sorry just to be clear, I tested the released version on ADO cloud and it worked. I haven't tested the implementation in this PR on ADO cloud yet.

Thanks for digging into the underlying reason why this is necessary in your case @Shaoqi-Cen . This is definitely something we should get merged in. However, I think the general approach should be a bit different to align better with how we like to handle url's across the different platforms. My recommendation:

  • modify getCloneCredentialsForRepo to read the deploymentType in the AzureDevOpsConnectionConfig object. If the deploymentType is server then return null so the PAT doesn't get embedded in the url
  • add a new param to fetchRepository and cloneRepository for the auth header. If this is null then go through the existing path. If the authHeader is non null, pass that into the call

Should be the same functionality but slightly cleaner to prevent the git helpers from needing to know the underlying code host platforms. If my explanation isn't clear let me know - happy to make the change myself

@msukkari msukkari mentioned this pull request Sep 27, 2025
Merged
@msukkari msukkari closed this Jan 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@msukkari msukkari Awaiting requested review from msukkari

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] Azure DevOps repository cloning fails due to incorrect authentication method Description

2 participants

@Shaoqi-Cen @msukkari