feat: accept any token type via ARTIFACTS_KEYRING_NOFUSS_TOKEN#27
Open
temporaer wants to merge 2 commits into
Open
feat: accept any token type via ARTIFACTS_KEYRING_NOFUSS_TOKEN#27temporaer wants to merge 2 commits into
temporaer wants to merge 2 commits into
Conversation
Make the env var provider handle bearer tokens, PATs, and $(System.AccessToken) automatically: - Non-JWT tokens (PATs, session tokens) are detected and used directly without attempting session token exchange. - JWT tokens that fail exchange with 401 (e.g. ADO build service JWTs) gracefully fall back to direct bearer use instead of failing. - Existing flows (user JWT → exchange, SP JWT → direct) unchanged. This simplifies Docker-in-CI guidance: users can pass any valid ADO token as a build secret regardless of source. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR expands environment-token handling so the keyring backend can accept PATs, bearer tokens, and system-issued tokens with automatic passthrough or exchange fallback.
Changes:
- Adds JWT-shape detection and direct passthrough for non-JWT tokens.
- Falls back to using rejected JWT bearer tokens directly after exchange rejection.
- Updates tests and README guidance for the broader token support.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
src/artifacts_keyring_nofuss/_backend.py |
Adds token-shape detection and exchange-rejection fallback logic. |
tests/test_backend.py |
Covers JWT detection, PAT passthrough, and rejected-token fallback behavior. |
README.md |
Updates user-facing token configuration guidance. |
- Move $(System.AccessToken) to the exchange-fallback bullet (it's a JWT) - Fix misleading 'base64url' comment in _is_jwt() to match shape-only check Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Make
ARTIFACTS_KEYRING_NOFUSS_TOKENaccept any valid ADO token — bearer, PAT, or$(System.AccessToken)— and do the right thing automatically.Changes
Code (
_backend.py):_is_jwt()helper detects non-JWT tokens (PATs, session tokens) and returns them directly without exchangeTokenRejectedErrorexhausts all providers, falls back to using the rejected bearer directly (handles$(System.AccessToken)and similar system JWTs)Tests: Added
TestIsJwt,TestNonJwtPassthrough,TestExchangeFallback; updated existing rejection test.Docs (README): Simplified "Token via environment variable" section; clarified any token type works for Docker builds in CI.
Motivation
$(System.AccessToken)in ADO pipelines is a JWT withscpclaims that gets misclassified as a user token → exchange attempt → 401 → failure. Similarly, PATs (non-JWT) would fail exchange. Now both work out of the box, simplifying Docker-in-CI guidance to: "pass your token, we figure it out."