in CredentialProvider.Microsoft/CredentialProviders/Vsts/VstsSessionTokenFromBearerTokenProvider.cs [27:62]
public async Task<string> GetAzureDevOpsSessionTokenFromBearerToken(
GetAuthenticationCredentialsRequest request,
string bearerToken,
bool bearerTokenObtainedInteractively,
CancellationToken cancellationToken)
{
// Allow the user to choose their token type
// If they don't and interactive auth was required, then prefer a PAT so we can safely default to a much longer validity period
VstsTokenType tokenType = EnvUtil.GetVstsTokenType() ??
(bearerTokenObtainedInteractively
? VstsTokenType.Compact
: VstsTokenType.SelfDescribing);
// Allow the user to override the validity period
TimeSpan? preferredTokenTime = EnvUtil.GetSessionTimeFromEnvironment(logger);
TimeSpan sessionTimeSpan;
if (tokenType == VstsTokenType.Compact)
{
// Allow Personal Access Tokens to be as long as SPS will grant, since they're easily revokable
sessionTimeSpan = preferredTokenTime ?? TimeSpan.FromHours(DefaultPersonalAccessTimeHours);
}
else
{
// But limit self-describing session tokens to a strict 24 hours, since they're harder to revoke
sessionTimeSpan = preferredTokenTime ?? TimeSpan.FromHours(DefaultSessionTimeHours);
if (sessionTimeSpan >= TimeSpan.FromHours(24))
{
sessionTimeSpan = TimeSpan.FromHours(24);
}
}
DateTime endTime = DateTime.UtcNow + sessionTimeSpan;
logger.Verbose(string.Format(Resources.VSTSSessionTokenValidity, tokenType.ToString(), sessionTimeSpan.ToString(), endTime.ToUniversalTime().ToString()));
VstsSessionTokenClient sessionTokenClient = new VstsSessionTokenClient(request.Uri, bearerToken, authUtil);
return await sessionTokenClient.CreateSessionTokenAsync(tokenType, endTime, cancellationToken);
}