Add option in OAuthCred to load authUrlV2. (#3777)

TingluoHuang · web-flow · commit d47013928bc2 · 2025-03-31T17:05:41.000-04:00
diff --git a/src/Runner.Listener/BrokerMessageListener.cs b/src/Runner.Listener/BrokerMessageListener.cs
@@ -65,7 +65,7 @@ public async Task<CreateSessionResult> CreateSessionAsync(CancellationToken toke
 
             // Create connection.
             Trace.Info("Loading Credentials");
-            _creds = _credMgr.LoadCredentials();
+            _creds = _credMgr.LoadCredentials(allowAuthUrlV2: false);
 
             var agent = new TaskAgentReference
             {
@@ -434,7 +434,7 @@ ex is AccessDeniedException ||
         private async Task RefreshBrokerConnectionAsync()
         {
             Trace.Info("Reload credentials.");
-            _creds = _credMgr.LoadCredentials();
+            _creds = _credMgr.LoadCredentials(allowAuthUrlV2: false); // TODO: change to `true` in the next PR.
             await _brokerServer.ConnectAsync(new Uri(_settings.ServerUrlV2), _creds);
             Trace.Info("Connection to Broker Server recreated.");
         }
diff --git a/src/Runner.Listener/Configuration/ConfigurationManager.cs b/src/Runner.Listener/Configuration/ConfigurationManager.cs
@@ -127,7 +127,7 @@ public async Task ConfigureAsync(CommandSettings command)
                     runnerSettings.ServerUrl = inputUrl;
                     // Get the credentials
                     credProvider = GetCredentialProvider(command, runnerSettings.ServerUrl);
-                    creds = credProvider.GetVssCredentials(HostContext);
+                    creds = credProvider.GetVssCredentials(HostContext, allowAuthUrlV2: false);
                     Trace.Info("legacy vss cred retrieved");
                 }
                 else
@@ -384,7 +384,7 @@ public async Task ConfigureAsync(CommandSettings command)
             if (!runnerSettings.UseV2Flow)
             {
                 var credMgr = HostContext.GetService<ICredentialManager>();
-                VssCredentials credential = credMgr.LoadCredentials();
+                VssCredentials credential = credMgr.LoadCredentials(allowAuthUrlV2: false);
                 try
                 {
                     await _runnerServer.ConnectAsync(new Uri(runnerSettings.ServerUrl), credential);
@@ -519,7 +519,7 @@ public async Task UnconfigureAsync(CommandSettings command)
                     if (string.IsNullOrEmpty(settings.GitHubUrl))
                     {
                         var credProvider = GetCredentialProvider(command, settings.ServerUrl);
-                        creds = credProvider.GetVssCredentials(HostContext);
+                        creds = credProvider.GetVssCredentials(HostContext, allowAuthUrlV2: false);
                         Trace.Info("legacy vss cred retrieved");
                     }
                     else
diff --git a/src/Runner.Listener/Configuration/CredentialManager.cs b/src/Runner.Listener/Configuration/CredentialManager.cs
@@ -13,7 +13,7 @@ namespace GitHub.Runner.Listener.Configuration
     public interface ICredentialManager : IRunnerService
     {
         ICredentialProvider GetCredentialProvider(string credType);
-        VssCredentials LoadCredentials();
+        VssCredentials LoadCredentials(bool allowAuthUrlV2);
     }
 
     public class CredentialManager : RunnerService, ICredentialManager
@@ -40,7 +40,7 @@ public ICredentialProvider GetCredentialProvider(string credType)
             return creds;
         }
 
-        public VssCredentials LoadCredentials()
+        public VssCredentials LoadCredentials(bool allowAuthUrlV2)
         {
             IConfigurationStore store = HostContext.GetService<IConfigurationStore>();
 
@@ -51,21 +51,16 @@ public VssCredentials LoadCredentials()
 
             CredentialData credData = store.GetCredentials();
             var migratedCred = store.GetMigratedCredentials();
-            if (migratedCred != null)
+            if (migratedCred != null &&
+                migratedCred.Scheme == Constants.Configuration.OAuth)
             {
                 credData = migratedCred;
-
-                // Re-write .credentials with Token URL
-                store.SaveCredential(credData);
-
-                // Delete .credentials_migrated
-                store.DeleteMigratedCredential();
             }
 
             ICredentialProvider credProv = GetCredentialProvider(credData.Scheme);
             credProv.CredentialData = credData;
 
-            VssCredentials creds = credProv.GetVssCredentials(HostContext);
+            VssCredentials creds = credProv.GetVssCredentials(HostContext, allowAuthUrlV2);
 
             return creds;
         }
diff --git a/src/Runner.Listener/Configuration/CredentialProvider.cs b/src/Runner.Listener/Configuration/CredentialProvider.cs
@@ -1,7 +1,7 @@
 ﻿using System;
-using GitHub.Services.Common;
 using GitHub.Runner.Common;
 using GitHub.Runner.Sdk;
+using GitHub.Services.Common;
 using GitHub.Services.OAuth;
 
 namespace GitHub.Runner.Listener.Configuration
@@ -10,7 +10,7 @@ public interface ICredentialProvider
     {
         Boolean RequireInteractive { get; }
         CredentialData CredentialData { get; set; }
-        VssCredentials GetVssCredentials(IHostContext context);
+        VssCredentials GetVssCredentials(IHostContext context, bool allowAuthUrlV2);
         void EnsureCredential(IHostContext context, CommandSettings command, string serverUrl);
     }
 
@@ -25,15 +25,15 @@ public CredentialProvider(string scheme)
         public virtual Boolean RequireInteractive => false;
         public CredentialData CredentialData { get; set; }
 
-        public abstract VssCredentials GetVssCredentials(IHostContext context);
+        public abstract VssCredentials GetVssCredentials(IHostContext context, bool allowAuthUrlV2);
         public abstract void EnsureCredential(IHostContext context, CommandSettings command, string serverUrl);
     }
 
     public sealed class OAuthAccessTokenCredential : CredentialProvider
     {
         public OAuthAccessTokenCredential() : base(Constants.Configuration.OAuthAccessToken) { }
 
-        public override VssCredentials GetVssCredentials(IHostContext context)
+        public override VssCredentials GetVssCredentials(IHostContext context, bool allowAuthUrlV2)
         {
             ArgUtil.NotNull(context, nameof(context));
             Tracing trace = context.GetTrace(nameof(OAuthAccessTokenCredential));
diff --git a/src/Runner.Listener/Configuration/OAuthCredential.cs b/src/Runner.Listener/Configuration/OAuthCredential.cs
@@ -22,10 +22,18 @@ public override void EnsureCredential(
             // Nothing to verify here
         }
 
-        public override VssCredentials GetVssCredentials(IHostContext context)
+        public override VssCredentials GetVssCredentials(IHostContext context, bool allowAuthUrlV2)
         {
             var clientId = this.CredentialData.Data.GetValueOrDefault("clientId", null);
             var authorizationUrl = this.CredentialData.Data.GetValueOrDefault("authorizationUrl", null);
+            var authorizationUrlV2 = this.CredentialData.Data.GetValueOrDefault("authorizationUrlV2", null);
+
+            if (allowAuthUrlV2 &&
+                !string.IsNullOrEmpty(authorizationUrlV2) &&
+                context.AllowAuthMigration)
+            {
+                authorizationUrl = authorizationUrlV2;
+            }
 
             // For back compat with .credential file that doesn't has 'oauthEndpointUrl' section
             var oauthEndpointUrl = this.CredentialData.Data.GetValueOrDefault("oauthEndpointUrl", authorizationUrl);
diff --git a/src/Runner.Listener/MessageListener.cs b/src/Runner.Listener/MessageListener.cs
@@ -80,7 +80,7 @@ public async Task<CreateSessionResult> CreateSessionAsync(CancellationToken toke
 
             // Create connection.
             Trace.Info("Loading Credentials");
-            _creds = _credMgr.LoadCredentials();
+            _creds = _credMgr.LoadCredentials(allowAuthUrlV2: false);
 
             var agent = new TaskAgentReference
             {
@@ -415,6 +415,7 @@ public async Task DeleteMessageAsync(TaskAgentMessage message)
         public async Task RefreshListenerTokenAsync()
         {
             await _runnerServer.RefreshConnectionAsync(RunnerConnectionType.MessageQueue, TimeSpan.FromSeconds(60));
+            _creds = _credMgr.LoadCredentials(allowAuthUrlV2: false); // TODO: change to `true` in next PR
             await _brokerServer.ForceRefreshConnection(_creds);
         }
 
diff --git a/src/Runner.Listener/Runner.cs b/src/Runner.Listener/Runner.cs
@@ -570,7 +570,7 @@ private async Task<int> RunAsync(RunnerSettings settings, bool runOnce = false)
 
                                     // Create connection
                                     var credMgr = HostContext.GetService<ICredentialManager>();
-                                    var creds = credMgr.LoadCredentials();
+                                    var creds = credMgr.LoadCredentials(allowAuthUrlV2: false);
 
                                     if (string.IsNullOrEmpty(messageRef.RunServiceUrl))
                                     {
diff --git a/src/Runner.Listener/RunnerConfigUpdater.cs b/src/Runner.Listener/RunnerConfigUpdater.cs
@@ -197,6 +197,16 @@ private async Task UpdateRunnerCredentialsAsync(string serviceType, string confi
                     await ReportTelemetryAsync($"Credential clientId in refreshed config '{refreshedClientId ?? "Empty"}' does not match the current credential clientId '{clientId}'.");
                     return;
                 }
+
+                //  make sure the credential authorizationUrl in the refreshed config match the current credential authorizationUrl for OAuth auth scheme
+                var authorizationUrl = _credData.Data.GetValueOrDefault("authorizationUrl", null);
+                var refreshedAuthorizationUrl = refreshedCredConfig.Data.GetValueOrDefault("authorizationUrl", null);
+                if (authorizationUrl != refreshedAuthorizationUrl)
+                {
+                    Trace.Error($"Credential authorizationUrl in refreshed config '{refreshedAuthorizationUrl ?? "Empty"}' does not match the current credential authorizationUrl '{authorizationUrl}'.");
+                    await ReportTelemetryAsync($"Credential authorizationUrl in refreshed config '{refreshedAuthorizationUrl ?? "Empty"}' does not match the current credential authorizationUrl '{authorizationUrl}'.");
+                    return;
+                }
             }
 
             // save the refreshed runner credentials as a separate file
diff --git a/src/Test/L0/Listener/BrokerMessageListenerL0.cs b/src/Test/L0/Listener/BrokerMessageListenerL0.cs
@@ -50,7 +50,7 @@ public async void CreatesSession()
                         tokenSource.Token))
                     .Returns(Task.FromResult(expectedSession));
 
-                _credMgr.Setup(x => x.LoadCredentials()).Returns(new VssCredentials());
+                _credMgr.Setup(x => x.LoadCredentials(It.IsAny<bool>())).Returns(new VssCredentials());
                 _store.Setup(x => x.GetCredentials()).Returns(new CredentialData() { Scheme = Constants.Configuration.OAuthAccessToken });
                 _store.Setup(x => x.GetMigratedCredentials()).Returns(default(CredentialData));
 
diff --git a/src/Test/L0/Listener/Configuration/RunnerCredentialL0.cs b/src/Test/L0/Listener/Configuration/RunnerCredentialL0.cs
@@ -1,14 +1,18 @@
-﻿using GitHub.Runner.Listener;
+﻿using System.Collections.Generic;
+using System.Security.Cryptography;
+using GitHub.Runner.Listener;
 using GitHub.Runner.Listener.Configuration;
 using GitHub.Services.Common;
 using GitHub.Services.OAuth;
+using Moq;
+using Xunit;
 
 namespace GitHub.Runner.Common.Tests.Listener.Configuration
 {
     public class TestRunnerCredential : CredentialProvider
     {
         public TestRunnerCredential() : base("TEST") { }
-        public override VssCredentials GetVssCredentials(IHostContext context)
+        public override VssCredentials GetVssCredentials(IHostContext context, bool allowAuthUrlV2)
         {
             Tracing trace = context.GetTrace("OuthAccessToken");
             trace.Info("GetVssCredentials()");
@@ -23,4 +27,85 @@ public override void EnsureCredential(IHostContext context, CommandSettings comm
         {
         }
     }
-}
+
+    public class OAuthCredentialTestsL0
+    {
+        private Mock<IRSAKeyManager> _rsaKeyManager = new Mock<IRSAKeyManager>();
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "OAuthCredential")]
+        public void NotUseAuthV2Url()
+        {
+            using (TestHostContext hc = new(this))
+            {
+                // Arrange.
+                var oauth = new OAuthCredential();
+                oauth.CredentialData = new CredentialData()
+                {
+                    Scheme = Constants.Configuration.OAuth
+                };
+                oauth.CredentialData.Data.Add("clientId", "someClientId");
+                oauth.CredentialData.Data.Add("authorizationUrl", "http://myserver/");
+                oauth.CredentialData.Data.Add("authorizationUrlV2", "http://myserverv2/");
+
+                _rsaKeyManager.Setup(x => x.GetKey()).Returns(RSA.Create(2048));
+                hc.SetSingleton<IRSAKeyManager>(_rsaKeyManager.Object);
+
+                // Act.
+                var cred = oauth.GetVssCredentials(hc, false); // not allow auth v2
+
+                var cred2 = oauth.GetVssCredentials(hc, true); // use auth v2 but hostcontext doesn't
+
+                hc.EnableAuthMigration("L0Test");
+                var cred3 = oauth.GetVssCredentials(hc, false); // not use auth v2 but hostcontext does
+
+                oauth.CredentialData.Data.Remove("authorizationUrlV2");
+                var cred4 = oauth.GetVssCredentials(hc, true); // v2 url is not there
+
+                // Assert.
+                Assert.Equal("http://myserver/", (cred.Federated as VssOAuthCredential).AuthorizationUrl.AbsoluteUri);
+                Assert.Equal("someClientId", (cred.Federated as VssOAuthCredential).ClientCredential.ClientId);
+
+                Assert.Equal("http://myserver/", (cred2.Federated as VssOAuthCredential).AuthorizationUrl.AbsoluteUri);
+                Assert.Equal("someClientId", (cred2.Federated as VssOAuthCredential).ClientCredential.ClientId);
+
+                Assert.Equal("http://myserver/", (cred3.Federated as VssOAuthCredential).AuthorizationUrl.AbsoluteUri);
+                Assert.Equal("someClientId", (cred3.Federated as VssOAuthCredential).ClientCredential.ClientId);
+
+                Assert.Equal("http://myserver/", (cred4.Federated as VssOAuthCredential).AuthorizationUrl.AbsoluteUri);
+                Assert.Equal("someClientId", (cred4.Federated as VssOAuthCredential).ClientCredential.ClientId);
+            }
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "OAuthCredential")]
+        public void UseAuthV2Url()
+        {
+            using (TestHostContext hc = new(this))
+            {
+                // Arrange.
+                var oauth = new OAuthCredential();
+                oauth.CredentialData = new CredentialData()
+                {
+                    Scheme = Constants.Configuration.OAuth
+                };
+                oauth.CredentialData.Data.Add("clientId", "someClientId");
+                oauth.CredentialData.Data.Add("authorizationUrl", "http://myserver/");
+                oauth.CredentialData.Data.Add("authorizationUrlV2", "http://myserverv2/");
+
+                _rsaKeyManager.Setup(x => x.GetKey()).Returns(RSA.Create(2048));
+                hc.SetSingleton<IRSAKeyManager>(_rsaKeyManager.Object);
+
+                // Act.
+                hc.EnableAuthMigration("L0Test");
+                var cred = oauth.GetVssCredentials(hc, true);
+
+                // Assert.
+                Assert.Equal("http://myserverv2/", (cred.Federated as VssOAuthCredential).AuthorizationUrl.AbsoluteUri);
+                Assert.Equal("someClientId", (cred.Federated as VssOAuthCredential).ClientCredential.ClientId);
+            }
+        }
+    }
+}
diff --git a/src/Test/L0/Listener/MessageListenerL0.cs b/src/Test/L0/Listener/MessageListenerL0.cs
@@ -67,7 +67,7 @@ public async void CreatesSession()
                         tokenSource.Token))
                     .Returns(Task.FromResult(expectedSession));
 
-                _credMgr.Setup(x => x.LoadCredentials()).Returns(new VssCredentials());
+                _credMgr.Setup(x => x.LoadCredentials(It.IsAny<bool>())).Returns(new VssCredentials());
                 _store.Setup(x => x.GetCredentials()).Returns(new CredentialData() { Scheme = Constants.Configuration.OAuthAccessToken });
                 _store.Setup(x => x.GetMigratedCredentials()).Returns(default(CredentialData));
 
@@ -127,7 +127,7 @@ public async void CreatesSessionWithBrokerMigration()
                         tokenSource.Token))
                     .Returns(Task.FromResult(expectedBrokerSession));
 
-                _credMgr.Setup(x => x.LoadCredentials()).Returns(new VssCredentials());
+                _credMgr.Setup(x => x.LoadCredentials(It.IsAny<bool>())).Returns(new VssCredentials());
                 _store.Setup(x => x.GetCredentials()).Returns(new CredentialData() { Scheme = Constants.Configuration.OAuthAccessToken });
                 _store.Setup(x => x.GetMigratedCredentials()).Returns(default(CredentialData));
 
@@ -177,7 +177,7 @@ public async void DeleteSession()
                         tokenSource.Token))
                     .Returns(Task.FromResult(expectedSession));
 
-                _credMgr.Setup(x => x.LoadCredentials()).Returns(new VssCredentials());
+                _credMgr.Setup(x => x.LoadCredentials(It.IsAny<bool>())).Returns(new VssCredentials());
                 _store.Setup(x => x.GetCredentials()).Returns(new CredentialData() { Scheme = Constants.Configuration.OAuthAccessToken });
                 _store.Setup(x => x.GetMigratedCredentials()).Returns(default(CredentialData));
 
@@ -237,7 +237,7 @@ public async void DeleteSessionWithBrokerMigration()
                         tokenSource.Token))
                     .Returns(Task.FromResult(expectedBrokerSession));
 
-                _credMgr.Setup(x => x.LoadCredentials()).Returns(new VssCredentials());
+                _credMgr.Setup(x => x.LoadCredentials(It.IsAny<bool>())).Returns(new VssCredentials());
                 _store.Setup(x => x.GetCredentials()).Returns(new CredentialData() { Scheme = Constants.Configuration.OAuthAccessToken });
                 _store.Setup(x => x.GetMigratedCredentials()).Returns(default(CredentialData));
 
@@ -301,7 +301,7 @@ public async void GetNextMessage()
                         tokenSource.Token))
                     .Returns(Task.FromResult(expectedSession));
 
-                _credMgr.Setup(x => x.LoadCredentials()).Returns(new VssCredentials());
+                _credMgr.Setup(x => x.LoadCredentials(It.IsAny<bool>())).Returns(new VssCredentials());
                 _store.Setup(x => x.GetCredentials()).Returns(new CredentialData() { Scheme = Constants.Configuration.OAuthAccessToken });
                 _store.Setup(x => x.GetMigratedCredentials()).Returns(default(CredentialData));
 
@@ -382,7 +382,7 @@ public async void GetNextMessageWithBrokerMigration()
                         tokenSource.Token))
                     .Returns(Task.FromResult(expectedSession));
 
-                _credMgr.Setup(x => x.LoadCredentials()).Returns(new VssCredentials());
+                _credMgr.Setup(x => x.LoadCredentials(It.IsAny<bool>())).Returns(new VssCredentials());
                 _store.Setup(x => x.GetCredentials()).Returns(new CredentialData() { Scheme = Constants.Configuration.OAuthAccessToken });
                 _store.Setup(x => x.GetMigratedCredentials()).Returns(default(CredentialData));
 
@@ -484,7 +484,7 @@ public async void CreateSessionWithOriginalCredential()
                         tokenSource.Token))
                     .Returns(Task.FromResult(expectedSession));
 
-                _credMgr.Setup(x => x.LoadCredentials()).Returns(new VssCredentials());
+                _credMgr.Setup(x => x.LoadCredentials(It.IsAny<bool>())).Returns(new VssCredentials());
 
                 var originalCred = new CredentialData() { Scheme = Constants.Configuration.OAuth };
                 originalCred.Data["authorizationUrl"] = "https://s.server";
@@ -533,7 +533,7 @@ public async void SkipDeleteSession_WhenGetNextMessageGetTaskAgentAccessTokenExp
                         tokenSource.Token))
                     .Returns(Task.FromResult(expectedSession));
 
-                _credMgr.Setup(x => x.LoadCredentials()).Returns(new VssCredentials());
+                _credMgr.Setup(x => x.LoadCredentials(It.IsAny<bool>())).Returns(new VssCredentials());
                 _store.Setup(x => x.GetCredentials()).Returns(new CredentialData() { Scheme = Constants.Configuration.OAuthAccessToken });
                 _store.Setup(x => x.GetMigratedCredentials()).Returns(default(CredentialData));
 
diff --git a/src/Test/L0/Listener/RunnerConfigUpdaterTests.cs b/src/Test/L0/Listener/RunnerConfigUpdaterTests.cs

Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,7 @@ public async Task<CreateSessionResult> CreateSessionAsync(CancellationToken toke`
`65`	`65`
`66`	`66`	`// Create connection.`
`67`	`67`	`Trace.Info("Loading Credentials");`
`68`		`- _creds = _credMgr.LoadCredentials();`
	`68`	`+ _creds = _credMgr.LoadCredentials(allowAuthUrlV2: false);`
`69`	`69`
`70`	`70`	`var agent = new TaskAgentReference`
`71`	`71`	`{`
`@@ -434,7 +434,7 @@ ex is AccessDeniedException \|\|`
`434`	`434`	`private async Task RefreshBrokerConnectionAsync()`
`435`	`435`	`{`
`436`	`436`	`Trace.Info("Reload credentials.");`
`437`		`- _creds = _credMgr.LoadCredentials();`
	`437`	+ _creds = _credMgr.LoadCredentials(allowAuthUrlV2: false); // TODO: change to `true` in the next PR.
`438`	`438`	`await _brokerServer.ConnectAsync(new Uri(_settings.ServerUrlV2), _creds);`
`439`	`439`	`Trace.Info("Connection to Broker Server recreated.");`
`440`	`440`	`}`
Original file line number	Diff line number	Diff line change
`@@ -127,7 +127,7 @@ public async Task ConfigureAsync(CommandSettings command)`
`127`	`127`	`runnerSettings.ServerUrl = inputUrl;`
`128`	`128`	`// Get the credentials`
`129`	`129`	`credProvider = GetCredentialProvider(command, runnerSettings.ServerUrl);`
`130`		`- creds = credProvider.GetVssCredentials(HostContext);`
	`130`	`+ creds = credProvider.GetVssCredentials(HostContext, allowAuthUrlV2: false);`
`131`	`131`	`Trace.Info("legacy vss cred retrieved");`
`132`	`132`	`}`
`133`	`133`	`else`
`@@ -384,7 +384,7 @@ public async Task ConfigureAsync(CommandSettings command)`
`384`	`384`	`if (!runnerSettings.UseV2Flow)`
`385`	`385`	`{`
`386`	`386`	`var credMgr = HostContext.GetService<ICredentialManager>();`
`387`		`- VssCredentials credential = credMgr.LoadCredentials();`
	`387`	`+ VssCredentials credential = credMgr.LoadCredentials(allowAuthUrlV2: false);`
`388`	`388`	`try`
`389`	`389`	`{`
`390`	`390`	`await _runnerServer.ConnectAsync(new Uri(runnerSettings.ServerUrl), credential);`
`@@ -519,7 +519,7 @@ public async Task UnconfigureAsync(CommandSettings command)`
`519`	`519`	`if (string.IsNullOrEmpty(settings.GitHubUrl))`
`520`	`520`	`{`
`521`	`521`	`var credProvider = GetCredentialProvider(command, settings.ServerUrl);`
`522`		`- creds = credProvider.GetVssCredentials(HostContext);`
	`522`	`+ creds = credProvider.GetVssCredentials(HostContext, allowAuthUrlV2: false);`
`523`	`523`	`Trace.Info("legacy vss cred retrieved");`
`524`	`524`	`}`
`525`	`525`	`else`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ namespace GitHub.Runner.Listener.Configuration`
`13`	`13`	`public interface ICredentialManager : IRunnerService`
`14`	`14`	`{`
`15`	`15`	`ICredentialProvider GetCredentialProvider(string credType);`
`16`		`- VssCredentials LoadCredentials();`
	`16`	`+ VssCredentials LoadCredentials(bool allowAuthUrlV2);`
`17`	`17`	`}`
`18`	`18`
`19`	`19`	`public class CredentialManager : RunnerService, ICredentialManager`
`@@ -40,7 +40,7 @@ public ICredentialProvider GetCredentialProvider(string credType)`
`40`	`40`	`return creds;`
`41`	`41`	`}`
`42`	`42`
`43`		`- public VssCredentials LoadCredentials()`
	`43`	`+ public VssCredentials LoadCredentials(bool allowAuthUrlV2)`
`44`	`44`	`{`
`45`	`45`	`IConfigurationStore store = HostContext.GetService<IConfigurationStore>();`
`46`	`46`
`@@ -51,21 +51,16 @@ public VssCredentials LoadCredentials()`
`51`	`51`
`52`	`52`	`CredentialData credData = store.GetCredentials();`
`53`	`53`	`var migratedCred = store.GetMigratedCredentials();`
`54`		`- if (migratedCred != null)`
	`54`	`+ if (migratedCred != null &&`
	`55`	`+ migratedCred.Scheme == Constants.Configuration.OAuth)`
`55`	`56`	`{`
`56`	`57`	`credData = migratedCred;`
`57`		`-`
`58`		`- // Re-write .credentials with Token URL`
`59`		`- store.SaveCredential(credData);`
`60`		`-`
`61`		`- // Delete .credentials_migrated`
`62`		`- store.DeleteMigratedCredential();`
`63`	`58`	`}`
`64`	`59`
`65`	`60`	`ICredentialProvider credProv = GetCredentialProvider(credData.Scheme);`
`66`	`61`	`credProv.CredentialData = credData;`
`67`	`62`
`68`		`- VssCredentials creds = credProv.GetVssCredentials(HostContext);`
	`63`	`+ VssCredentials creds = credProv.GetVssCredentials(HostContext, allowAuthUrlV2);`
`69`	`64`
`70`	`65`	`return creds;`
`71`	`66`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`using System;`
`2`		`-using GitHub.Services.Common;`
`3`	`2`	`using GitHub.Runner.Common;`
`4`	`3`	`using GitHub.Runner.Sdk;`
	`4`	`+using GitHub.Services.Common;`
`5`	`5`	`using GitHub.Services.OAuth;`
`6`	`6`
`7`	`7`	`namespace GitHub.Runner.Listener.Configuration`
`@@ -10,7 +10,7 @@ public interface ICredentialProvider`
`10`	`10`	`{`
`11`	`11`	`Boolean RequireInteractive { get; }`
`12`	`12`	`CredentialData CredentialData { get; set; }`
`13`		`- VssCredentials GetVssCredentials(IHostContext context);`
	`13`	`+ VssCredentials GetVssCredentials(IHostContext context, bool allowAuthUrlV2);`
`14`	`14`	`void EnsureCredential(IHostContext context, CommandSettings command, string serverUrl);`
`15`	`15`	`}`
`16`	`16`
`@@ -25,15 +25,15 @@ public CredentialProvider(string scheme)`
`25`	`25`	`public virtual Boolean RequireInteractive => false;`
`26`	`26`	`public CredentialData CredentialData { get; set; }`
`27`	`27`
`28`		`- public abstract VssCredentials GetVssCredentials(IHostContext context);`
	`28`	`+ public abstract VssCredentials GetVssCredentials(IHostContext context, bool allowAuthUrlV2);`
`29`	`29`	`public abstract void EnsureCredential(IHostContext context, CommandSettings command, string serverUrl);`
`30`	`30`	`}`
`31`	`31`
`32`	`32`	`public sealed class OAuthAccessTokenCredential : CredentialProvider`
`33`	`33`	`{`
`34`	`34`	`public OAuthAccessTokenCredential() : base(Constants.Configuration.OAuthAccessToken) { }`
`35`	`35`
`36`		`- public override VssCredentials GetVssCredentials(IHostContext context)`
	`36`	`+ public override VssCredentials GetVssCredentials(IHostContext context, bool allowAuthUrlV2)`
`37`	`37`	`{`
`38`	`38`	`ArgUtil.NotNull(context, nameof(context));`
`39`	`39`	`Tracing trace = context.GetTrace(nameof(OAuthAccessTokenCredential));`
Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,7 @@ public async Task<CreateSessionResult> CreateSessionAsync(CancellationToken toke`
`80`	`80`
`81`	`81`	`// Create connection.`
`82`	`82`	`Trace.Info("Loading Credentials");`
`83`		`- _creds = _credMgr.LoadCredentials();`
	`83`	`+ _creds = _credMgr.LoadCredentials(allowAuthUrlV2: false);`
`84`	`84`
`85`	`85`	`var agent = new TaskAgentReference`
`86`	`86`	`{`
`@@ -415,6 +415,7 @@ public async Task DeleteMessageAsync(TaskAgentMessage message)`
`415`	`415`	`public async Task RefreshListenerTokenAsync()`
`416`	`416`	`{`
`417`	`417`	`await _runnerServer.RefreshConnectionAsync(RunnerConnectionType.MessageQueue, TimeSpan.FromSeconds(60));`
	`418`	+ _creds = _credMgr.LoadCredentials(allowAuthUrlV2: false); // TODO: change to `true` in next PR
`418`	`419`	`await _brokerServer.ForceRefreshConnection(_creds);`
`419`	`420`	`}`
`420`	`421`
Original file line number	Diff line number	Diff line change
`@@ -570,7 +570,7 @@ private async Task<int> RunAsync(RunnerSettings settings, bool runOnce = false)`
`570`	`570`
`571`	`571`	`// Create connection`
`572`	`572`	`var credMgr = HostContext.GetService<ICredentialManager>();`
`573`		`- var creds = credMgr.LoadCredentials();`
	`573`	`+ var creds = credMgr.LoadCredentials(allowAuthUrlV2: false);`
`574`	`574`
`575`	`575`	`if (string.IsNullOrEmpty(messageRef.RunServiceUrl))`
`576`	`576`	`{`