• Icon: New Feature New Feature
    • Resolution: Unresolved
    • Icon: Minor Minor
    • github-oauth-plugin
    • None
    • Jenkins-Version: 1.651.1
      github-api: 1.75
      github: 1.19.0
      github-oauth: 0.23

      Github has SSH public keys already.

      The Github OAuth plugin should fetch them from github and add them to user accounts automagically.

          [JENKINS-34649] Get ssh public keys from github as well

          Sam Gleske added a comment -

          This is a welcome idea. Contributions are welcome as well.

          Sam Gleske added a comment - This is a welcome idea. Contributions are welcome as well.

          Sam Gleske added a comment -

          After researching, it's not currently possible to have this without cached OAuth credentials. Jenkins needs to get authorities (e.g. GitHub organizations for a user) in order to determine authorization. GitHub does not support authentication using a public key. The only way this would be possible if credentials were cached (and public keys fetched and cached) like JENKINS-40204.

          Sam Gleske added a comment - After researching, it's not currently possible to have this without cached OAuth credentials. Jenkins needs to get authorities (e.g. GitHub organizations for a user) in order to determine authorization. GitHub does not support authentication using a public key. The only way this would be possible if credentials were cached (and public keys fetched and cached) like JENKINS-40204 .

          I didn't explain it well. Sorry.
          Let me try again:

          On login, fetch the public ssh keys stored in github (under https://github.com/settings/keys ) and put them into the user's profile in Jenkins automaticall (https://jenkins.example.com/user/USERNAME/ ).

          That shouldn't require any caching or anything. This is to facilitate using the `jenkins-cli.jar` and other things that talk to Jenkins via ssh.

          Christian Höltje added a comment - I didn't explain it well. Sorry. Let me try again: On login, fetch the public ssh keys stored in github (under https://github.com/settings/keys ) and put them into the user's profile in Jenkins automaticall ( https://jenkins.example.com/user/USERNAME/ ). That shouldn't require any caching or anything. This is to facilitate using the `jenkins-cli.jar` and other things that talk to Jenkins via ssh.

          Sam Gleske added a comment - - edited

          Thanks for elaborating Christian. However, my statement still remains. Even if we were to fetch SSH credentials per user and store them; authenticating to Jenkins CLI via SSH key does not preserve authorities (i.e. does not preserve GitHub organizations and teams as Jenkins groups for authorization). So basically, the only authority granted to the user would be authenticated.

          The GitHub organizations and teams of a user need to be cached as authorities (i.e. Jenkins groups) in Jenkins so that Jenkins CLI via public key auth works.

          As an aside, I've gotten Jenkins CLI to work using:

          • --username
          • --password

          https://github.com/jenkinsci/github-oauth-plugin/pull/77 It needs someone other than me to code review it.

          Sam Gleske added a comment - - edited Thanks for elaborating Christian. However, my statement still remains. Even if we were to fetch SSH credentials per user and store them; authenticating to Jenkins CLI via SSH key does not preserve authorities (i.e. does not preserve GitHub organizations and teams as Jenkins groups for authorization). So basically, the only authority granted to the user would be authenticated . The GitHub organizations and teams of a user need to be cached as authorities (i.e. Jenkins groups) in Jenkins so that Jenkins CLI via public key auth works. As an aside, I've gotten Jenkins CLI to work using: --username --password https://github.com/jenkinsci/github-oauth-plugin/pull/77 It needs someone other than me to code review it.

          Oh! I understand now.

          It also explains the permissions problem I was having with the Jenkins CLI when I discovered JENKINS-42421

          That being said, there are other uses for the SSH public keys, including the Jenkins-hosted git server for the workflow pipeline, etc. So this may still be useful.

          Christian Höltje added a comment - Oh! I understand now. It also explains the permissions problem I was having with the Jenkins CLI when I discovered JENKINS-42421 That being said, there are other uses for the SSH public keys, including the Jenkins-hosted git server for the workflow pipeline, etc. So this may still be useful.

          I think getting and storing an OAuth token is desirable on login. This is how (for example) iPhone apps work.

          This could have other uses, such as using that token for Replays (instead of the Org token).

          Christian Höltje added a comment - I think getting and storing an OAuth token is desirable on login. This is how (for example) iPhone apps work. This could have other uses, such as using that token for Replays (instead of the Org token).

          Sam Gleske added a comment -

          This is now possible since JENKINS-47113 was resolved by merging https://github.com/jenkinsci/github-oauth-plugin/pull/87.  Non-GitHub authorization is now possible since we store the GitHub API token users consent to granting the OAuth application.  It is stored as a user property.

          Sam Gleske added a comment - This is now possible since  JENKINS-47113 was resolved by merging https://github.com/jenkinsci/github-oauth-plugin/pull/87.   Non-GitHub authorization is now possible since we store the GitHub API token users consent to granting the OAuth application.  It is stored as a user property.

            sag47 Sam Gleske
            docwhat Christian Höltje
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: