A keyring backend in pure python that authenticates to Azure DevOps package feeds using browser-based OAuth2 with PKCE.
Once installed, keyring automatically discovers ado-keyring as a backend. Any tool that uses keyring, such as uv for alternative indexes, will trigger browser auth when accessing Azure DevOps feeds.
uv tool install keyring --with ado-keyring- Browser-based OAuth2 + PKCE — secure, no secrets stored in config files
- Persistent token cache — avoids repeated browser prompts (
~/.ado-keyring/) - Automatic token refresh — uses refresh tokens to silently renew access
- Per-org session tokens — supports multiple Azure DevOps organizations
- WSL-aware — opens the Windows browser from WSL via
cmd.exe - No .NET dependency — pure Python, unlike
artifacts-keyring
just installtdnf install -y python3 python3-pip
python3 -m pip install uv
echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrc && source ~/.bashrc
uv tool install rust-just
just install- Binds a localhost callback server on a random port
- Opens the browser to Azure AD's OAuth2 authorize endpoint (PKCE,
select_accountprompt) - Receives the authorization code via redirect
- Exchanges the code for access + refresh tokens
- Exchanges the access token for a
VssSessionTokenscoped tovso.packaging - Caches all tokens to
~/.ado-keyring/token-cache.json(file:0600, dir:0700) - On subsequent calls, uses cached session tokens or silently refreshes via the refresh token