Get Nuget credentials stored somewhere by Visual Studio in a VSIX project
I ‘m already using the
IVsPackageInstaller service as documented here but this is limited and I need more features ( for example get the latest version number of a given package ) .I searched but did n’t find anything on how to programmatically interact with the ocular Studio Package Manager so I decided to go for the Nuget API directly .
I send hypertext transfer protocol requests to the Nuget API using the
WebRequest class ( because we ca n’t use HttpClient in a VSIX project ) but I ‘m hitting a trouble : the requests are going to a secret Nuget feed that needs authentication ! ( hosted on Azure DevOps )
I used Fiddler to check the HTTP requests sent to our Azure DevOps waiter. I see a POST request going to https://app.vssps.visualstudio.com/_apis/Token/SessionTokens with a token in reply but this is not the Token I ‘m looking for .
The token passed to the Nuget API is a Basic nominal that comes from I do n’t know where. I could n’t find this token anywhere in the HTTP responses I caught .
I can besides see that some responses to our Azure DevOps server contain some headers like this ( I changed the GUID )
WWW-Authenticate: Bearer authorization_uri=https://login.windows.net/ce372fcc-5e17-490b-ad99-47565dac8a84
I can find this GUID back in the %userprofile%\AppData\Local\.IdentityService\AccountStore.json file, there is decidedly something going on hera. And the SessionTokens.json file in the same folder looks reeeaaally concern excessively but it ‘s encrypted …
I besides tried to dig in the register to see if I can find interest data for model at the path specified in Simon ‘s comment but it seems VS2017 does n’t store the token there anymore .
I besides loaded the privateregistry.bin file ( aka the Visual Studio Settings Store ) and searched everywhere but could n’t find anything.
Read more: A Few Thoughts on Cryptographic Engineering
therefore alternatively of trying to reverse engineer Visual Studio I wanted to access its Credential Provider directly. I tried to access to several services and classes
var componentModel = await ServiceProvider.GetGlobalServiceAsync(typeof(SComponentModel)) as IComponentModel;
var credentialProvider = componentModel.GetService();
var credentialServiceProvider = componentModel.GetService();
var defaultCredentialServiceProvider = new DefaultVSCredentialServiceProvider();
But none of them are working ( return nothing or exception ) .
I wandered in the NuGet.PackageManagement.VisualStudio project on Github but could n’t find my answer .
There are besides many Nuget packages like NuGet.PackageManagement.VisualStudio, Microsoft.VisualStudio.Services.Release.Client, Microsoft.VisualStudio.Services.ExtensionManagement.WebApi, Microsoft.VisualStudio.Services.InteractiveClient equitable to name a few but honestly I do n’t know if what I ‘m looking for is there …
so how to access the Nuget credentials used by ocular Studio ?
I take any solution that gives me access to all the read Nuget features, for case programmatically use the ocular Studio Package Management, or decrypt this SessionTokens.json file or access the ocular Studio Credential Provider.
The less hacky is the answer, the better it is of couse .
At this point you probably already guessed, I do n’t want to store the username and password somewhere myself. I need to create a user-friendly VS extension, that ‘s why I want to retrieve and use the credentials already saved in ocular Studio by the users .
Thank you so much if you can solve this problem .