Move from PATs to Microsoft Entra tokens?

[demoray]

Currently, the use of artifacts-keyring uses creates personal access tokens (PATs) on use. The documentation for authenticating to Azure Devops with personal access tokens has the following "Important" warning text:

We recommend the more secure Microsoft Entra tokens over higher-risk personal access tokens. Learn more about our efforts to reduce PAT usage. Review our authentication guidance to choose the right authentication mechanism for your needs.

Is there a plan to move away from managing PATs to leveraging Microsoft Entra tokens?

[cobya]

This work is planned, but there are changes we need to make to our downstream dependencies such as the MSAL broker on macOS before this can be broadly supported.

See https://github.com/microsoft/artifacts-credprovider/issues/543#issuecomment-2648855539 for more info.

[demoray]

For environments where macOS isn't an issue, is there a short term solution?

PATs are generating SFI warnings for us.

[greatvovan]

@demoray use ARTIFACTS_CREDENTIALPROVIDER_FEED_ENDPOINTS env var, and configure authentication on behalf of Entra App through a certificate. You'll need to add the application's service principal into ADO organization and grant it access to the artifacts feed (Contributor access is preferred, so that it can proxy missing packages from PyPI).

See https://github.com/microsoft/artifacts-credprovider?tab=readme-ov-file#environment-variables

[austindonnelly]

You might also be able to use NUGET_CREDENTIALPROVIDER_VSTS_TOKENTYPE set to SelfDescribing to generate JWTs, according to https://github.com/microsoft/artifacts-credprovider.

I've not tried this, but it sounds promising.