Why I get Internet Explorer enhanced security error message in Chrome if I call VSO API from Angularjs SPA?

Asked 3/11, 2015 at 11:52 Answered 7/12, 2021 at 6:41

Solved angularjs google-chrome authentication azure-devops-rest-api

I have a SPA implemented in Angularjs - Typescript calling VSO API and providing authentication data you can find below:

((): void => {
    "use strict";

    angular
        .module("app")
        .config(config);

    config.$inject = [
        "$httpProvider"
    ];

    function config(
        $httpProvider: ng.IHttpProvider
    ) {

        $httpProvider.defaults.headers.common['Authorization'] = "Bearer username:password";

    }
});

I see the Network tab of the browser that this call will be redirected to here:

https://app.vssps.visualstudio.com/_signin?realm=dldxdm.visualstudio.com&reply_to...

And a following request.

The console does not show any authentication error, but there is no result of my request (GET) but it should be! Instead of the result I get the message you can see in the screenshot. It is Microsoft Internet Explorer's Enhanced Security Configuration is currently enabled on your environment. This enhanced level of security prevents our web integration experiences from displaying or performing correctly. To continue with your operation please disable this configuration or contact your administrator. But the query executed in Chrome. Why an IE error message is here?

In the browser I logged in to VSO to the project, and if I copy the url and paste into another tab and execute it I'll get the proper result I'm looking for.

Questions:

why there is no result for my query executed by Angular app?
how should I authenticate for VSO? I cannot set up a token because it runs on localhost currently.

I googled for the IE error message but there is no answer. The how to disable the enhanced security of IE I have found Windows Server answers. I don't think they are related to my issue.

Update:

Ok, I have an article about what is happening. Next step, implementation.

Afferent answered 3/11, 2015 at 11:52 Comment(3)

Did you find a solution related to this problem? – Typo 30/3, 2016 at 11:39

I got that error trying to curl https://$VSTS_ACCOUNT.visualstudio.com/_apis/distributedtask/packages/agent?platform=ubuntu.$UBUNTU_VERSION-x64 from the vsts agent docker container. It's unbelievable that a server side error is assuming you're using IE as your browser. curl is not IE, there are no security zones whatever things on ubuntu. – Sexist 1/2, 2017 at 19:34

The linked article does not load :( – Sexist 2/2, 2017 at 3:38

I found that this happened to me when my PAT was wrong due to a copy and paste error.

Looks like you are probably failing authentication because you didn't base64 encode the bearer token.

Sexist answered 2/2, 2017 at 4:3 Comment(4)

For us this was because the PAT has to be prefix by ":" before you base 64 encode it. Then supply this as Authorization header: Basic <PAT_ENCODED> – Galoshes 24/5, 2017 at 16:51

@Andy: you can add this as an answer, FYI: it resolved my issue. – Ahimsa 25/4, 2018 at 3:55

@RuSs I've flagged your comment: Suggesting that users use a 3rd party site to encrypt security keys is a dangerous practice. – Sexist 28/5, 2018 at 16:1

@Galoshes thanks. I deleted my answer. I'm an idiot. I was saying the right answer was that the PAT needs to be prefixed with a colon. I tried it yesterday. – Olnek 28/5, 2018 at 20:53

Prefix your Personal Access Token(PAT) with :(colon). then Base 64 encode it.

Eg:

If "myaccesstoken" is my PAT,

Apply base 64 encoder to ":myaccesstoken"

In the Authorization header, place your base encoded string as,

Authorization : Basic MyColonPrefixedBase64String

Hautrhin answered 6/7, 2020 at 14:2 Comment(1)

You save me after some hours! – Hamburg 26/3, 2021 at 12:25

I had this same issue. I verified this in postman as follows...

I didn't have to base64 encode my PAT. I found that I just needed to double check that my PAT had the right access. I passed the data as Basic Auth. Username: "whatever the hell you want" Password: PAT

Response: 200 👍

Rabbitfish answered 2/3, 2020 at 14:0 Comment(2)

All above answers didnt work for me except this one. Thank you! – Methodist 17/9, 2020 at 11:49

Postman does some base64 encoding on the fly; it wouldn't be necessary with Postman, but heads up that the advice might not carry over to curl or other applications. – Rivulet 14/3 at 18:22

If somebody else comes on this page after getting same error in Azure devops classic pipeline (like I did) then they may need to select radio button titled "Allow scripts to access the OAuth token". This option is available here "Stage >> Agent Job >> Additional Options". For more clarity, you may wan to refer this blog post.

Trinitytrinket answered 7/12, 2021 at 6:41 Comment(0)

Recommended topics

Hot tags