Skip to content

feat: accept any token type via ARTIFACTS_KEYRING_NOFUSS_TOKEN#27

Open
temporaer wants to merge 2 commits into
mainfrom
universal-token-handling
Open

feat: accept any token type via ARTIFACTS_KEYRING_NOFUSS_TOKEN#27
temporaer wants to merge 2 commits into
mainfrom
universal-token-handling

Conversation

@temporaer

Copy link
Copy Markdown
Contributor

Summary

Make ARTIFACTS_KEYRING_NOFUSS_TOKEN accept any valid ADO token — bearer, PAT, or $(System.AccessToken) — and do the right thing automatically.

Changes

Code (_backend.py):

  • _is_jwt() helper detects non-JWT tokens (PATs, session tokens) and returns them directly without exchange
  • After TokenRejectedError exhausts all providers, falls back to using the rejected bearer directly (handles $(System.AccessToken) and similar system JWTs)
  • Existing flows unchanged: user JWT → exchange, SP JWT → direct

Tests: Added TestIsJwt, TestNonJwtPassthrough, TestExchangeFallback; updated existing rejection test.

Docs (README): Simplified "Token via environment variable" section; clarified any token type works for Docker builds in CI.

Motivation

$(System.AccessToken) in ADO pipelines is a JWT with scp claims that gets misclassified as a user token → exchange attempt → 401 → failure. Similarly, PATs (non-JWT) would fail exchange. Now both work out of the box, simplifying Docker-in-CI guidance to: "pass your token, we figure it out."

Make the env var provider handle bearer tokens, PATs, and
$(System.AccessToken) automatically:

- Non-JWT tokens (PATs, session tokens) are detected and used directly
  without attempting session token exchange.
- JWT tokens that fail exchange with 401 (e.g. ADO build service JWTs)
  gracefully fall back to direct bearer use instead of failing.
- Existing flows (user JWT → exchange, SP JWT → direct) unchanged.

This simplifies Docker-in-CI guidance: users can pass any valid ADO
token as a build secret regardless of source.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 29, 2026 11:02

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR expands environment-token handling so the keyring backend can accept PATs, bearer tokens, and system-issued tokens with automatic passthrough or exchange fallback.

Changes:

  • Adds JWT-shape detection and direct passthrough for non-JWT tokens.
  • Falls back to using rejected JWT bearer tokens directly after exchange rejection.
  • Updates tests and README guidance for the broader token support.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
src/artifacts_keyring_nofuss/_backend.py Adds token-shape detection and exchange-rejection fallback logic.
tests/test_backend.py Covers JWT detection, PAT passthrough, and rejected-token fallback behavior.
README.md Updates user-facing token configuration guidance.

Comment thread README.md Outdated
Comment thread src/artifacts_keyring_nofuss/_backend.py Outdated
- Move $(System.AccessToken) to the exchange-fallback bullet (it's a JWT)
- Fix misleading 'base64url' comment in _is_jwt() to match shape-only check

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

@steph409 steph409 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

very nice, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants