Local authorization for dotnet/NuGet.exe (in CLI) on Azure artifacts

Private NuGet packages can help to modularize and reuse already written code over several applications. Therefore Azure Artifact repository can be a very powerful and easy possibility. But in order to integrate it into local development an authorization process must be completed, not only for the IDE, but also for dotnet/NuGet.exe on CLI.

• TL;DR
• The complete story

TL;DR

• Setup NuGet.config with custom Azure Artifact feed

<?xml version="1.0" encoding="utf-8"?>
<configuration>
	<packageSources>
		<add key="my-private-nuget-packages" value="https://pkgs.dev.azure.com/{organization}/{project-if-feed-is-project-scoped}/_packaging/{feed}/nuget/v3/index.json" />
		<add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3"/>
	</packageSources>
</configuration>

• Install NuGet plugin artifacts-credprovider on your machine:

# This example is for Windows and net core
> iex "& { $(irm https://aka.ms/install-artifacts-credprovider.ps1) }"

• Authorize donet/NuGet.exe via processing the authentication which can be opened via:

# Replace {username} and NuGet feed URL
> C:\Users\{username}\.nuget\plugins\netcore\CredentialProvider.Microsoft\CredentialProvider.Microsoft.exe -I -V Verbose -U "https://pkgs.dev.azure.com/{organization}/{project-if-feed-is-project-scoped}/_packaging/{feed}/nuget/v3/index.json"

• Execute whatever you want:

> dotnet list package --outdated
> dotnet list package --vulnerable --include-transitive

The complete story

I developed some private NuGet packages which are stored in Azure Artifact repository. The access to this repository is secured by my login, which means that I have to grant access to my development tools like Visual Studio or Rider.

My setup of the NuGet.config looks like the following. As you can see, there are no credentials stored, because I do not want to push them to my Git repository:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
	<packageSources>
		<add key="my-private-nuget-packages" value="https://pkgs.dev.azure.com/{organization}/{project-if-feed-is-project-scoped}/_packaging/{feed}/nuget/v3/index.json" />
		<add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3"/>
	</packageSources>
</configuration>

Adding the Azure credentials in Rider already forced me to contact JetBrains some time ago, because adding the username and password did not work. You have to use the combination of username and PAT (personal access token) — the manual creation of a PAT can be done in the Azure user settings:
https://dev.azure.com/{organization}/_usersSettings/tokens

But that was only part of the problem! The more interessting part, for which I write this post, is that I regularly check locally via CLI if there are outdated packages in my project(s). Therefore a very useful command exists:

> cd /enter/project/directory/here
> dotnet list package --outdated

The problem was that this command failed due to the fact that dotnet resp. NuGet.exe had no access to the Azure Artifact repository. The execution ended up in an 401 message:

Response status code does not indicate success: 401 (Unauthorized)

Of course, the authorization is missing here too, same situation like for my IDEs! But how to add them?

My first thought was to run the command with interactive parameter, but it never asked me for credentials. The first step towards the solution was to install the artifacts-credprovider plugin for NuGet and setup the authentication!

As described in the setup, the easiest version to install the plugin is to execute the automatic PowerShell script:

# This example is for Windows and net core
> iex "& { $(irm https://aka.ms/install-artifacts-credprovider.ps1) }"

Note: If you are on a Mac or need it for netfx, read through the setup process!

After I installed the plugin, I tried the interactive mode for the package check again:

> dotnet list package --outdated --interactive

… but it failed! After executing the command it provided me a generic URL and a unique code. After opning the URL in the browser, entering the code and processing the authentication, the process in the browser told me that everything is okay now. But the CLI asked me again to open the URL and gave me another code… and again… and again… and again! It just did not work!

The final solution was hidden in the documentation of the NuGet plugin: I executed the following command which brought up an other authorization window, directly from console:

> C:\Users\{username}\.nuget\plugins\netcore\CredentialProvider.Microsoft\CredentialProvider.Microsoft.exe -I -V Verbose -U "https://pkgs.dev.azure.com/{organization}/{project-if-feed-is-project-scoped}/_packaging/{feed}/nuget/v3/index.json"

I entered my credentials, finalized the 2-factor-authentication, et voilà, NOW IT WORKED! I could execute the outdated-packages-check without any problems:

> dotnet list package --outdated

Note: After successfully processing the authentication a new PAT (personal access token) is added to your user settings in Azure. This PAT is used as authorization token. In my case I received an email notification which informed me about this step.