Details
-
Type:
New Feature
-
Status: Closed (View Workflow)
-
Priority:
Minor
-
Resolution: Not A Defect
-
Component/s: github-api-plugin, github-branch-source-plugin, github-plugin
-
Labels:None
-
Similar Issues:
Description
You recently used a password to access an endpoint through the GitHub API using okhttp/2.7.5. We will deprecate basic authentication using password to this endpoint soon:
https://api.github.com/repositories/155774655
We recommend using a personal access token (PAT) with the appropriate scope to access this endpoint instead. Visit https://github.com/settings/tokens for more information.
This might be just something that admins need to deal w/, but it would be helpful if there was a migration page explaining what to do from the jenkins side.
(it isn't particularly obvious to me)
Attachments
Issue Links
- relates to
-
-
- Resolved
-
Activity
You can certainly use a PAT, but note that JENKINS-57351 was released which allows github-branch-source to use App authentication. Not currently available for non-multibranch use cases, though it has been proposed to push this code down into the github-api library.
Jesse Glick: I don't think using a PAT is an option right now unless I've missed something? I'm trying to configure the plugin using a user that requires 2FA and as a result my only option is to use a Personal Access Token but it's not working.
I get the following in Jenkins when I do so:
At first, I thought that it was an issue with my token, so I tried the following:
$ curl 'https://{username}:{personal_access_token}@api.github.com/user' { "login": "{username}", ... }
Since this worked as expected, I was confused... Then I stumbled upon this issue and tried my curl request by setting the header like the code described in the previous comments/screenshots :
$ curl -H 'Authorization: Basic {base64("{username}:{personal_access_token}")}' 'https://api.github.com/user' { "message": "Bad credentials", "documentation_url": "https://developer.github.com/v3" }
I don't have a non-2fa GitHub account to check with, but I'm assuming that using a personal access token in a Basic Authorisation header is no longer supported by GitHub? Unless I'm missing something?
It does seem a bit odd assuming that it worked previously as it doesn't line up with GitHub's stated deprecation dates. Unless a PAT never worked? I can confirm that using Authorization: token personal_access_token in curl works as expected, but I see no way of doing this in the plugin right now?
Liam Nichols
added a comment - - edited Jesse Glick : I don't think using a PAT is an option right now unless I've missed something? I'm trying to configure the plugin using a user that requires 2FA and as a result my only option is to use a Personal Access Token but it's not working.
I get the following in Jenkins when I do so:
At first, I thought that it was an issue with my token, so I tried the following:
$ curl 'https://{username}:{personal_access_token}@api.github.com/user'
{
"login" : "{username}" ,
...
}
Since this worked as expected, I was confused... Then I stumbled upon this issue and tried my curl request by setting the header like the code described in the previous comments/screenshots :
$ curl -H 'Authorization: Basic {base64( "{username}:{personal_access_token}" )}' 'https://api.github.com/user'
{
"message" : "Bad credentials" ,
"documentation_url" : "https://developer.github.com/v3"
}
I don't have a non-2fa GitHub account to check with, but I'm assuming that using a personal access token in a Basic Authorisation header is no longer supported by GitHub? Unless I'm missing something?
It does seem a bit odd assuming that it worked previously as it doesn't line up with GitHub's stated deprecation dates. Unless a PAT never worked? I can confirm that using Authorization: token personal_access_token in curl works as expected, but I see no way of doing this in the plugin right now? Liam Nichols A PAT should just work, no plugin changes, no tricks, with or without 2FA enabled for the account, now or in the past. I have no idea what is wrong in your case.
Yep my bad, my credential had some trailing whitespace that went unnoticed previously as it was being escaped in other use cases but this plugin didn't escape it. I corrected the credential and all works now
Liam Nichols
added a comment - Yep my bad, my credential had some trailing whitespace that went unnoticed previously as it was being escaped in other use cases but this plugin didn't escape it. I corrected the credential and all works now 
Github is removing all support for basic auth on Nov 13, 2020 (with service brownouts on Sep 30 and Oct 28)
https://developer.github.com/changes/2020-02-14-deprecating-password-auth/
I have been using an access token with the "Username with password" credential type, but I don't think this will continue to work, as the branch source plugin is still sending those credentials via basic auth:
https://github.com/jenkinsci/github-branch-source-plugin/blob/9d1f48ec47eb5d44f668936d0811a6715fcc6f35/src/main/java/org/jenkinsci/plugins/github_branch_source/Connector.java#L406
https://github.com/github-api/github-api/blob/5c9474d1c891121f11ce9c31b51d42216a8e416f/src/main/java/org/kohsuke/github/GitHubClient.java#L119-L123
Is the branch source plugin currently capable of sending the credentials via the HTTP Authorization header, or will this require a code change?