Azure DevOps PAT goes invalid for no reason

We’ve had this problem a couple of times.
After a couple of months, our PAT to Azure DevOps somehow goes invalid.
This manifests itself by an error on Pull Requests:

##[error]ERROR: Error during SonarScanner execution

ERROR: Error during SonarScanner execution

##[error]ERROR: Could not find the pullrequest with key ‘6371’

ERROR: Caused by: Error 404 on : {“errors”:[{“msg”:“Unable to find the pullrequest with key \u00276371\u0027”}]}

However, checking Azure DevOps, there are no recently expired tokens:

All tokens were revoked before, and we have the single active token in use since November '23
The PAT on the Organization level says it’s valid:

There is no PAT on the Project level:

We have entered the very same PAT again on the organization level (the input field even recognized it using autocomplete), and now PR builds work again.

The issue seems to have started on Friday, February 9th

As this is quite a “common” issue for us now (as mentioned, every couple months), and a lot of builds fail during this time, we would like to ask for a deeper investigation about this issue, it’s quite disruptive for us every time it happens.

Also, I’m sure the error message can somehow be improved that it actually states that the PAT is invalid… ?

1 Like

Hello @MichelZ,

I can observe the behaviour you described, and we currently don’t have enough information on our end to diagnose the problem.

I can verify that when the scanner fails with the message Error 404 on ..., it is a consequence of Azure DevOps returning a 403 status code when we request more information about the pull request in question.

We’re going to add extra logging on our end, so that next time when it happens we have more information to figure out what is happening. Could you post on this thread when it happens again?

1 Like

Sure, thanks for looking into it!

Hi @TomVanBraband, I am experiencing the issue right now again.

1 Like

Hi @TomVanBraband, we are experiencing this issue again currently. Will wait a couple hours until I put the (same) PAT in again - maybe you can look at the backend what’s going on.

1 Like

Is there any chance you’re running into this?

  • Azure requires that a user log in every 30 days, or it automatically kills a PAT; this action may cause your related pipeline to fail. Here is an Azure Q&A on this topic.

I ask because it’s been about a month since you last had the problem.

1 Like

Thanks @Colin, that absolutely sound like the issue we’re having! I did not know about this requirement (thanks Microsoft for making it as difficult as possible… grr)

@Colin Speaking of this headache… are there any plans to support “proper” service authentication using OAuth 2.0 then?

I’ll leave that to @TomVanBraband :slight_smile:

1 Like

At the moment there are no concrete plans for moving away from personal access tokens to OAuth using Service Applications. We do agree that makes sense though, and we hope to make the change at some point.

Are you using a technical account to generate the access tokens, and is that the reason why the account is not being logged into frequently?

Yes, we are using a technical user that is never logged in. At least now we know the exact cause of it and we can easily work around it… that’s good enough for now.

Thanks for looking into this

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.