Azure DevOps PAT goes invalid for no reason

MichelZ · February 12, 2024, 8:46am

We’ve had this problem a couple of times.
After a couple of months, our PAT to Azure DevOps somehow goes invalid.
This manifests itself by an error on Pull Requests:

##[error]ERROR: Error during SonarScanner execution

ERROR: Error during SonarScanner execution

##[error]ERROR: Could not find the pullrequest with key ‘6371’

ERROR: Caused by: Error 404 on https://sonarcloud.io/api/alm_integration/show_pullrequest?project=&pullrequestKey=6371 : {“errors”:[{“msg”:“Unable to find the pullrequest with key \u00276371\u0027”}]}

However, checking Azure DevOps, there are no recently expired tokens:

All tokens were revoked before, and we have the single active token in use since November '23
The PAT on the Organization level says it’s valid:

There is no PAT on the Project level:

We have entered the very same PAT again on the organization level (the input field even recognized it using autocomplete), and now PR builds work again.

The issue seems to have started on Friday, February 9th

As this is quite a “common” issue for us now (as mentioned, every couple months), and a lot of builds fail during this time, we would like to ask for a deeper investigation about this issue, it’s quite disruptive for us every time it happens.

Also, I’m sure the error message can somehow be improved that it actually states that the PAT is invalid… ?

TomVanBraband · February 22, 2024, 8:58am

Hello @MichelZ,

I can observe the behaviour you described, and we currently don’t have enough information on our end to diagnose the problem.

I can verify that when the scanner fails with the message Error 404 on ..., it is a consequence of Azure DevOps returning a 403 status code when we request more information about the pull request in question.

We’re going to add extra logging on our end, so that next time when it happens we have more information to figure out what is happening. Could you post on this thread when it happens again?

MichelZ · February 24, 2024, 6:34am

Sure, thanks for looking into it!

MichelZ · March 14, 2024, 3:15pm

Hi @TomVanBraband, I am experiencing the issue right now again.

MichelZ · April 23, 2024, 2:30pm

Hi @TomVanBraband, we are experiencing this issue again currently. Will wait a couple hours until I put the (same) PAT in again - maybe you can look at the backend what’s going on.

Colin · April 23, 2024, 2:34pm

Is there any chance you’re running into this?

Azure requires that a user log in every 30 days, or it automatically kills a PAT; this action may cause your related pipeline to fail. Here is an Azure Q&A on this topic.

I ask because it’s been about a month since you last had the problem.

MichelZ · April 23, 2024, 2:47pm

Thanks @Colin, that absolutely sound like the issue we’re having! I did not know about this requirement (thanks Microsoft for making it as difficult as possible… grr)

MichelZ · April 23, 2024, 2:50pm

@Colin Speaking of this headache… are there any plans to support “proper” service authentication using OAuth 2.0 then?

Colin · April 23, 2024, 2:56pm

I’ll leave that to @TomVanBraband

TomVanBraband · April 24, 2024, 7:57am

At the moment there are no concrete plans for moving away from personal access tokens to OAuth using Service Applications. We do agree that makes sense though, and we hope to make the change at some point.

Are you using a technical account to generate the access tokens, and is that the reason why the account is not being logged into frequently?

MichelZ · April 24, 2024, 8:10am

Yes, we are using a technical user that is never logged in. At least now we know the exact cause of it and we can easily work around it… that’s good enough for now.

Thanks for looking into this