Configuring OAuth 2.0 for Microsoft Azure DevOps Services

To enable users to work with a remote Git repository that is hosted on Microsoft Azure Repos:

Set up an application in Microsoft Entra ID.
Apply the Microsoft Entra ID App Secret.

Microsoft Entra ID replaces the deprecated Azure DevOps OAuth 2.0 application, which no longer accepts new registrations. If you have an existing Azure DevOps OAuth app, migrate to Microsoft Entra ID.

Setting up the Microsoft Entra ID OAuth App

Set up a Microsoft Entra ID OAuth App to enable Che users to interact with Azure DevOps Git repositories without re-entering credentials.

Prerequisites

You are logged in to Microsoft Azure DevOps Services.

Third-party application access via OAuth is enabled for your organization. See Change application connection & security policies for your organization.
Procedure
1. Register an application in Microsoft Entra ID. See Register an application.
2. Add the Authorization callback URL https://<che_fqdn>/api/oauth/callback to your application. See Add a redirect URI.
3. Add a client secret to your application. See Add credentials.
4. Add the Azure DevOps vso.code_write permission to the client application. See Add permissions to access your web API.
5. Connect your Azure DevOps organization to Microsoft Entra ID. See Connect your organization to Microsoft Entra ID.

Additional resources

Applying the Microsoft Entra ID OAuth App Secret

Prepare and apply the Secret that enables Che to authenticate with Microsoft Entra ID for Azure DevOps repository access.

Prerequisites

You have set up the Microsoft Entra ID OAuth App.
The following values, which were generated when setting up the Microsoft Entra ID OAuth App, are prepared:
- Application (client) ID
- Directory (tenant) ID
- Client Secret
An active kubectl session with administrative permissions to the destination Kubernetes cluster. See Overview of kubectl.

Procedure

Prepare the Secret:

kind: Secret
apiVersion: v1
metadata:
  name: azure-devops-oauth-config
  namespace: eclipse-che(1)
  labels:
    app.kubernetes.io/part-of: che.eclipse.org
    app.kubernetes.io/component: oauth-scm-configuration
  annotations:
    che.eclipse.org/oauth-scm-server: azure-devops
type: Opaque
stringData:
  tenant-id: <Microsoft_Entra_ID_Tenant_ID>(2)
  id: <Microsoft_Entra_ID_App_ID>(3)
  secret: <Microsoft_Entra_ID_Client_Secret>(4)

1	The Che namespace. The default is `eclipse-che`.
2	The Microsoft Entra ID Directory (tenant) ID.
3	The Microsoft Entra ID Application (client) ID.
4	The Microsoft Entra ID Client Secret.

Apply the Secret:

$ kubectl apply -f - <<EOF
<Secret_prepared_in_the_previous_step>
EOF

Verify in the output that the Secret is created.
Wait for the rollout of the Che server components to be completed.