-
Bug
-
Resolution: Fixed
-
Minor
-
None
We store Github access key after successful login so that the user can reuse their access token for Organization Folders, Multibranch Pipeline, etc
- is related to
-
JENKINS-34649 Get ssh public keys from github as well
-
- Open
-
[JENKINS-40204] Store Github access key after successful login
tuomas_kiviaho
added a comment - Is it possible to utilize this property in the declarative pipeline as well because I'd really like to pass the token as password to https://github.com/larscheid-schmitzhermes/nexus3-github-oauth-plugin perhaps via https://jenkins.io/doc/pipeline/steps/credentials-binding/
tuomas_kiviaho
added a comment - Is it possible to utilize this property in the declarative pipeline as well because I'd really like to pass the token as password to https://github.com/larscheid-schmitzhermes/nexus3-github-oauth-plugin perhaps via https://jenkins.io/doc/pipeline/steps/credentials-binding/ Yes, it is possible. However, you would have to surface this functionality as a global shared pipeline step. That's because accessing this would require admin/script privileges from the Jenkins runtime.
You would not be able to use the credentials binding step. You'd probably have to use an ENV wrapper with a mask passwords wrapper. Something akin to the following:
Sam Gleske
added a comment - - edited Yes, it is possible. However, you would have to surface this functionality as a global shared pipeline step. That's because accessing this would require admin/script privileges from the Jenkins runtime.
You would not be able to use the credentials binding step. You'd probably have to use an ENV wrapper with a mask passwords wrapper. Something akin to the following:
https://github.com/samrocketman/jervis/blob/09407f80498057b309bcc3c1101a798b6d553127/vars/buildViaJervis.groovy#L114-L118 tuomas_kiviaho
added a comment - Thanks for the info,
I am trying to avoid this kind of scripting altogether by sticking with multibranch pipeline plugin with declarative Jenkinsfile coming from single config file. The credentials approach would have handled the password masking etc. out-of-the-box on my behalf and much more which I state below.
I was also hoping that this approach could have given an alternative for github-plugin personal access tokens. I don't like to be creating a github bot account and hence I'm still using git-plugin and maintaining manually SSH creds. for each job/repo but using the same OAuth access tokens used for authentication would have been indeed made it possible to shift away from this and also given better auditing over who is doing what. Creation of the repo level webhooks automatically using OAuth app. access token would have become also possibility not to mention passing of the access token forward as maven repository password.
I've been tracking https://issues.jenkins-ci.org/browse/JENKINS-38963 (Stephen Connoly's option 1 with AuthorizedProject. Parameters are not what I'm after) for user-scope "Run as the user who triggered the build" credentials and I would really like to see still this addition to somehow evolve into that direction but my knowledge of Jenkins is too limited to be of any help whatsoever.
Is this hope security wise a lost cause or shall I create an issue here or to some other plugin for this?
tuomas_kiviaho
added a comment - Thanks for the info,
I am trying to avoid this kind of scripting altogether by sticking with multibranch pipeline plugin with declarative Jenkinsfile coming from single config file. The credentials approach would have handled the password masking etc. out-of-the-box on my behalf and much more which I state below.
I was also hoping that this approach could have given an alternative for github-plugin personal access tokens. I don't like to be creating a github bot account and hence I'm still using git-plugin and maintaining manually SSH creds. for each job/repo but using the same OAuth access tokens used for authentication would have been indeed made it possible to shift away from this and also given better auditing over who is doing what. Creation of the repo level webhooks automatically using OAuth app. access token would have become also possibility not to mention passing of the access token forward as maven repository password.
I've been tracking https://issues.jenkins-ci.org/browse/JENKINS-38963 (Stephen Connoly's option 1 with AuthorizedProject. Parameters are not what I'm after) for user-scope "Run as the user who triggered the build" credentials and I would really like to see still this addition to somehow evolve into that direction but my knowledge of Jenkins is too limited to be of any help whatsoever.
Is this hope security wise a lost cause or shall I create an issue here or to some other plugin for this? Sam Gleske
added a comment - You're welcome to create issues for your needs. I tend to not close issues unless they're either resolved, duplicate, or invalid. I don't normally close feature requests just in case someone contributes them. I mostly manage and quality test upgrades to ensure new releases don't break existing Jenkins installations.
Sam Gleske
added a comment - You're welcome to create issues for your needs. I tend to not close issues unless they're either resolved, duplicate, or invalid. I don't normally close feature requests just in case someone contributes them. I mostly manage and quality test upgrades to ensure new releases don't break existing Jenkins installations.
This issue has been resolved by merging https://github.com/jenkinsci/github-oauth-plugin/pull/87. The GitHub API token granted by user consent to the OAuth app is now stored as a user property.
Example usage in the script console: