admin管理员组文章数量:1395225
I'm using Projects - List REST API to retrieve the list of DevOps projects, with their avatar
[GET]
Each returned project has this structure:
{
"id": "abcdxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"name": "PROJ",
"url": ";,
"state": "wellFormed",
"revision": 21,
"visibility": "public",
"defaultTeamImageUrl": ";size=2",
"lastUpdateTime": "2025-03-12T10:21:29.513Z"
}
I tried to load /_apis/GraphProfile/MemberAvatars avatar image as is, by signing the request with the same valid OAuth 2.0 access token used for the REST API.
In Microsoft Entra Admin Center, I made sure to include vso.graph API permission for my app registration, but it didn't do the trick.
I know there's the dedicated Avatars - Get REST API (/_apis/graph/Subjects/{subjectDescriptor}/avatars) to get base64 avatars, but it needs the subject descriptor as input, and it's not included in /_apis/projects REST API response (and I'd like to avoid additional API calls to retrieve them).
Fun fact: I tried adding all 76 vso API permissions to my app registration, also with admin consent, and the avatar did load as intended.
But now I'm having a hard time in identifying which is the involved API permission.
Any suggestions? Thanks in advance
I'm using Projects - List REST API to retrieve the list of DevOps projects, with their avatar
[GET] https://dev.azure/MY_ORGANIZATION/_apis/projects?getDefaultTeamImageUrl=true
Each returned project has this structure:
{
"id": "abcdxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"name": "PROJ",
"url": "https://dev.azure/MY_ORGANIZATION/_apis/projects/abcdxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"state": "wellFormed",
"revision": 21,
"visibility": "public",
"defaultTeamImageUrl": "https://dev.azure/MY_ORGANIZATION/_apis/GraphProfile/MemberAvatars/efghxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx?overrideDisplayName=PROJ&size=2",
"lastUpdateTime": "2025-03-12T10:21:29.513Z"
}
I tried to load /_apis/GraphProfile/MemberAvatars avatar image as is, by signing the request with the same valid OAuth 2.0 access token used for the REST API.
In Microsoft Entra Admin Center, I made sure to include vso.graph API permission for my app registration, but it didn't do the trick.
I know there's the dedicated Avatars - Get REST API (/_apis/graph/Subjects/{subjectDescriptor}/avatars) to get base64 avatars, but it needs the subject descriptor as input, and it's not included in /_apis/projects REST API response (and I'd like to avoid additional API calls to retrieve them).
Fun fact: I tried adding all 76 vso API permissions to my app registration, also with admin consent, and the avatar did load as intended.
But now I'm having a hard time in identifying which is the involved API permission.
Any suggestions? Thanks in advance
Share Improve this question asked Mar 27 at 13:08 ilPittizilPittiz 7561 gold badge10 silver badges25 bronze badges1 Answer
Reset to default 1Based on my test, to run REST API https://dev.azure/{OrgName}/_apis/GraphProfile/MemberAvatars/{AvatarId}?api-version=7.1, your API needs user_impersonation permission.
user_impersonation allows the application full access to the REST APIs provided by Visual Studio Team Services on behalf of the signed-in user. If the sign-in user has permissions to get project avatar, then the app has permissions.
I tried assigning all API permissions except `user_impersonation` to my app registration, but my app still does not have enough permissions. Therefore, I guess that additional permissions are required to run the current API, and the permissions come from the user's membership in the anization. For example, PCA has more permissions than shown in the UI and PAT scope.
本文标签: Azure DevOpsload provided Graph avatars via OAuth 20Stack Overflow
版权声明:本文标题:Azure DevOps - load provided Graph avatars via OAuth 2.0 - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744086931a2588696.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论