Details
-
Type:
Bug
-
Status: In Review (View Workflow)
-
Priority:
Major
-
Resolution: Unresolved
-
Component/s: blueocean-plugin
-
Labels:
-
Similar Issues:
-
Sprint:Blue Ocean - Candidates, Blue Ocean 1.6 - beta 2
Description
I am attempting to link a github repository from my company to Blue Ocean. Note that I have my personal github and repositories for the company I work for (see blueocean hang.png). When I get to the "Which organization does the repository belong to", if I just click my personal one it shows all my repositories with no problem. If I select my work organization, it hangs on the next step (see blueocean hang.png screenshot). I've attached the jenkins.log file which shows the following error: "Github accessToken does not have required scopes. Expected scopes 'user:email, repo'"
But if you look at the blueocean github token.png, you'll see the appropriate scope is set. Also I have no problem if I select my personal "organization".
Any help would be much appreciated.
Attachments
Activity
Thank you this is very helpful. The curl request you was successful and returned my profile info. I then tried the repo list api via curl:
curl -v -H 'Authorization: token XXX' https://api.github.com/orgs/my_employer/repos
This is where I get a 403 error and the following JSON:
{
"message": "Resource protected by organization SAML enforcement. You must grant your personal token access to this organization.",
"documentation_url": "https://help.github.com/articles/authorizing-a-personal-access-token-for-use-with-a-saml-single-sign-on-organization"
}
This was my mistake - we use federated authentication and I hadn't granted access to the org via the SSO button in github. After granting that authorization, everything worked just fine. This is obviously a user error, but a more useful error message would be helpful. I am happy to contribute this bug fix. Where should I implement the error checking? Is it githubscm::connect?
Thank you, Alex.
Alex Kravetz
added a comment - Vivek Pandey ,
Thank you this is very helpful. The curl request you was successful and returned my profile info. I then tried the repo list api via curl:
curl -v -H 'Authorization: token XXX' https: //api.github.com/orgs/my_employer/repos
This is where I get a 403 error and the following JSON:
{
"message" : "Resource protected by organization SAML enforcement. You must grant your personal token access to this organization." ,
"documentation_url" : "https: //help.github.com/articles/authorizing-a-personal-access-token- for -use-with-a-saml-single-sign-on-organization"
}
This was my mistake - we use federated authentication and I hadn't granted access to the org via the SSO button in github. After granting that authorization, everything worked just fine. This is obviously a user error, but a more useful error message would be helpful. I am happy to contribute this bug fix. Where should I implement the error checking? Is it githubscm::connect?
Thank you, Alex. Alex Kravetz Thanks for providing logs/har file. It helped me understand whats going on. There is 403 error reported by github during access token validation. We call:
curl -v -H 'Authorization: token XXXXX' https://api.github.com/user
Reported error:
Caused by: io.jenkins.blueocean.commons.ServiceException$PreconditionRequired: Github accessToken does not have required scopes. Expected scopes 'user:email, repo'
at io.jenkins.blueocean.blueocean_github_pipeline.GithubScm.connect(GithubScm.java:307)
at io.jenkins.blueocean.blueocean_github_pipeline.GithubRepositories.<init>(GithubRepositories.java:62)
at io.jenkins.blueocean.blueocean_github_pipeline.GithubRespositoryContainer.getRepositories(GithubRespositoryContainer.java:46)
at io.jenkins.blueocean.commons.stapler.export.MethodProperty.getValue(MethodProperty.java:72)
For some reason, github reporting 403. Is it possible there is mix of access token?
Can you Try the above curl with the access token you entered when you created github pipeline in blueocean for the first time? To be sure, you can delete the existing credential tied to github access token (credential id 'github') and try creating new pipeline and entered the access token with right github scope. You can delete github credential generated by blueocean by clicking on your username on top right side then click on Credentials and look for 'github' credential.
BTW, the hang in UI is because UI not able to handle error condition. Its expecting repoData.repositories to be always non-null (TypeError: Cannot read property 'items' of undefined): https://github.com/jenkinsci/blueocean-plugin/blob/e8cc816f2e8ce3b8a1718c41297df3cca0b9970f/blueocean-dashboard/src/main/js/creation/github/GithubFlowManager.js#L244.
The bug seems to have a bug where it returns 200 when the exception thrown is 403: https://github.com/jenkinsci/blueocean-plugin/blob/4201a1ac9675e6ecf752c83e449d46682d386b34/blueocean-github-pipeline/src/main/java/io/jenkins/blueocean/blueocean_github_pipeline/GithubScm.java#L307.
HAR attached: har.txt
From the browser console:
blueocean-core-js.js:2963 Browser configuration of @jenkins-cd/logging is explained at https://tfennelly.github.io/jenkins-js-logging/index.html#browser-config
jenkins-js-extension.js:117367 TypeError: Cannot read property 'items' of undefined
at GithubFlowManager._updateRepositories (jenkins-js-extension.js:117384)
at executeAction (jenkins-js-extension.js:57770)
at GithubFlowManager.res (jenkins-js-extension.js:57742)
at jenkins-js-extension.js:117365
at <anonymous>
Alex Kravetz
added a comment - HAR attached: har.txt
From the browser console:
blueocean-core-js.js:2963 Browser configuration of @jenkins-cd/logging is explained at https://tfennelly.github.io/jenkins-js-logging/index.html#browser-config
jenkins-js-extension.js:117367 TypeError: Cannot read property 'items' of undefined
at GithubFlowManager._updateRepositories (jenkins-js-extension.js:117384)
at executeAction (jenkins-js-extension.js:57770)
at GithubFlowManager.res (jenkins-js-extension.js:57742)
at jenkins-js-extension.js:117365
at <anonymous> Can you check browser console for any error? It will also help debug if you can include HAR file. If there are sensitive info then send it directly to me: vpandey at cloudbees.com.
Alex Kravetz,
Glad you found the problem.
> I am happy to contribute this bug fix.
That will be awesome.
> Where should I implement the error checking? Is it githubscm::connect?
Code at https://github.com/jenkinsci/blueocean-plugin/blob/4201a1ac9675e6ecf752c83e449d46682d386b34/blueocean-github-pipeline/src/main/java/io/jenkins/blueocean/blueocean_github_pipeline/GithubScm.java#L307 sends back 428 (precondition required) when 403 error is received. The generic message `Github accessToken does not have required scopes. Expected scopes 'user:email, repo'` is unclear given it could be github enterprise integrated with different auth systems, like SAML in your case. Please open a PR with your fix, it will be great to get your contribution!
As mentioned in my previous comment, front end code throws error in the absence of repoData.repositories field. It should do it only if its 200 response.