From 32de3309422512b0746cbcdd5d5a4ac3f0667e2b Mon Sep 17 00:00:00 2001
From: Mantavya Dhingra <mdhingra@microsoft.com>
Date: Wed, 3 Dec 2025 17:08:11 +0530
Subject: [PATCH] Update Tfs-client-credentials-issue

---
 powershell/VstsTaskSdk/ServerOMFunctions.ps1 | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/powershell/VstsTaskSdk/ServerOMFunctions.ps1 b/powershell/VstsTaskSdk/ServerOMFunctions.ps1
index 6fd19ea13..029d31538 100644
--- a/powershell/VstsTaskSdk/ServerOMFunctions.ps1
+++ b/powershell/VstsTaskSdk/ServerOMFunctions.ps1
@@ -164,7 +164,23 @@ function Get-TfsClientCredentials {
         }
         [System.AppDomain]::CurrentDomain.add_AssemblyResolve($onAssemblyResolve)
 
-        # Validate the type can be found.
+        # Try to use VssClientCredentials first (ClientOM 14+), then fall back to TfsClientCredentials (legacy)
+        if ((Get-OMType -TypeName 'Microsoft.VisualStudio.Services.Client.VssClientCredentials' -OMKind 'WebApi' -OMDirectory $OMDirectory)) {
+            # Create the federated credential - try VssOAuthAccessTokenCredential first (ClientOM 16+), then VssOAuthCredential (ClientOM 14)
+            if ((Get-OMType -TypeName 'Microsoft.VisualStudio.Services.OAuth.VssOAuthAccessTokenCredential' -OMKind 'WebApi' -OMDirectory $OMDirectory)) {
+                $federatedCredential = New-Object Microsoft.VisualStudio.Services.OAuth.VssOAuthAccessTokenCredential([string]$endpoint.auth.parameters.AccessToken)
+            } else {
+                $null = Get-OMType -TypeName 'Microsoft.VisualStudio.Services.Client.VssOAuthCredential' -OMKind 'WebApi' -OMDirectory $OMDirectory -Require
+                $federatedCredential = New-Object Microsoft.VisualStudio.Services.Client.VssOAuthCredential([string]$endpoint.auth.parameters.AccessToken)
+            }
+            
+            # Create VssClientCredentials using (WindowsCredential, FederatedCredential) constructor
+            return New-Object Microsoft.VisualStudio.Services.Client.VssClientCredentials(
+                (New-Object Microsoft.VisualStudio.Services.Common.WindowsCredential($false)), # Do not use default credentials.
+                $federatedCredential)
+        }
+        
+        # Fall back to TfsClientCredentials (legacy)
         $null = Get-OMType -TypeName 'Microsoft.TeamFoundation.Client.TfsClientCredentials' -OMKind 'ExtendedClient' -OMDirectory $OMDirectory -Require
 
         # Construct the credentials.
@@ -621,6 +637,8 @@ function Get-OMType {
 
                     $dllPaths += [System.IO.Path]::Combine($OMDirectory, "$namespace.WebApi.dll")
                     $dllPaths += [System.IO.Path]::Combine($OMDirectory, "$namespace.dll")
+                    # Also check for Interactive.dll (VssClientCredentials moved here in ClientOM 16+)
+                    $dllPaths += [System.IO.Path]::Combine($OMDirectory, "$namespace.Interactive.dll")
                 }
             }
         }