Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-60480

github is deprecating basic authentication using password

      You recently used a password to access an endpoint through the GitHub API using okhttp/2.7.5. We will deprecate basic authentication using password to this endpoint soon:

      https://api.github.com/repositories/155774655

      We recommend using a personal access token (PAT) with the appropriate scope to access this endpoint instead. Visit https://github.com/settings/tokens for more information.

      This might be just something that admins need to deal w/, but it would be helpful if there was a migration page explaining what to do from the jenkins side.

      (it isn't particularly obvious to me)

          [JENKINS-60480] github is deprecating basic authentication using password

          Mark Waite added a comment -

          Maybe you're using the actual password from another location or through a different credential? I've not received any warnings from GitHub for my https repository access. I'll continue watching my mailbox in case it arrives.

          Mark Waite added a comment - Maybe you're using the actual password from another location or through a different credential? I've not received any warnings from GitHub for my https repository access. I'll continue watching my mailbox in case it arrives.

          Josh Soref added a comment - - edited

          Ok, for us, there were apparently two items. I've switched things over to the other one. Hopefully that will make the alert go away.

          But this experience was painful.

          One thing that would help immensely is the ability to search for credentials whose password matches an entered value. Expected results should only include passwords the searching user is allowed to use. Had I been able to do that, I could have quickly identified the problem.

          Fwiw, the best I've managed is:

          admin:org, admin:public_key, admin:repo_hook, read:user, repo 

          We had credentials of:

          repo 
          admin:repo_hook, repo 

          But they weren't sufficient for us.

          Josh Soref added a comment - - edited Ok, for us, there were apparently two items. I've switched things over to the other one. Hopefully that will make the alert go away. But this experience was painful. One thing that would help immensely is the ability to search for credentials whose password matches an entered value. Expected results should only include passwords the searching user is allowed to use. Had I been able to do that, I could have quickly identified the problem. Fwiw, the best I've managed is: admin:org, admin:public_key, admin:repo_hook, read:user, repo We had credentials of: repo admin:repo_hook, repo But they weren't sufficient for us.

          Albert Jankowski added a comment - - edited

          markewaite I did the following:

          • Created personal token in Github
          • Created credentials in Jenkins: username is username and password is the Github token
          • Now I navigate to Manage Jenkins -> Configure System -> Github
          • Under credentials, I don't see the new credentials I created in one of the previous steps (I'm guessing because it was username and password and it only shows items with keys only)

          Also, I did try:

          • Advance -> Manage Additional Github Actions -> Convert login and password to token
          • When I create the token from the credentials I get the following error:
            Can't create GH token - {"message":"This API can only be accessed with username and password Basic Auth","documentation_url":"https://developer.github.com/v3"}
            
          • When I create token from login and password (username = username, password = token) I get:
            Can't create GH token for xenomedia-deploy - {"message":"This API can only be accessed with username and password Basic Auth","documentation_url":"https://developer.github.com/v3"}
            
          • When I create token from login and password (actual username and password)
            Can't create GH token for username - null
            

          Any idea what I am doing wrong? You mentioned that this was working for you.

          Albert Jankowski added a comment - - edited markewaite I did the following: Created personal token in Github Created credentials in Jenkins: username is username and password is the Github token Now I navigate to Manage Jenkins -> Configure System -> Github Under credentials, I don't see the new credentials I created in one of the previous steps (I'm guessing because it was username and password and it only shows items with keys only) Also, I did try: Advance -> Manage Additional Github Actions -> Convert login and password to token When I create the token from the credentials I get the following error: Can't create GH token - { "message" : "This API can only be accessed with username and password Basic Auth" , "documentation_url" : "https: //developer.github.com/v3" } When I create token from login and password (username = username, password = token) I get: Can't create GH token for xenomedia-deploy - { "message" : "This API can only be accessed with username and password Basic Auth" , "documentation_url" : "https: //developer.github.com/v3" } When I create token from login and password (actual username and password) Can't create GH token for username - null Any idea what I am doing wrong? You mentioned that this was working for you.

          Mark Waite added a comment - - edited

          albertski the technique that works on my Jenkins server is to use the GitHub personal access token to define a Secret text credential, then use that in the Manage Jenkins -> GitHub section. I was personally surprised when that worked, since I've been conditioned to use one of two types of credentials to interact with GitHub, either private key (for ssh protocol) or username/password (for https). Secret text is a third type and that "Manage Jenkins" field for GitHub is the only place where I've used it as far as I remember.

          Mark Waite added a comment - - edited albertski the technique that works on my Jenkins server is to use the GitHub personal access token to define a Secret text credential, then use that in the Manage Jenkins -> GitHub section. I was personally surprised when that worked, since I've been conditioned to use one of two types of credentials to interact with GitHub, either private key (for ssh protocol) or username/password (for https). Secret text is a third type and that "Manage Jenkins" field for GitHub is the only place where I've used it as far as I remember.

          Thanks markewaite. Adding just the personal access token as Secret Text did work. I'll see if I get an alert of deprecated authentication.

          Albert Jankowski added a comment - Thanks markewaite . Adding just the personal access token as Secret Text did work. I'll see if I get an alert of deprecated authentication.

          Github is removing all support for basic auth on Nov 13, 2020 (with service brownouts on Sep 30 and Oct 28)

          https://developer.github.com/changes/2020-02-14-deprecating-password-auth/

           

          I have been using an access token with the "Username with password" credential type, but I don't think this will continue to work, as the branch source plugin is still sending those credentials via basic auth:

          https://github.com/jenkinsci/github-branch-source-plugin/blob/9d1f48ec47eb5d44f668936d0811a6715fcc6f35/src/main/java/org/jenkinsci/plugins/github_branch_source/Connector.java#L406

          https://github.com/github-api/github-api/blob/5c9474d1c891121f11ce9c31b51d42216a8e416f/src/main/java/org/kohsuke/github/GitHubClient.java#L119-L123

           

          Is the branch source plugin currently capable of sending the credentials via the HTTP Authorization header, or will this require a code change?

          Christopher Sang added a comment - Github is removing all support for basic auth on Nov 13, 2020 (with service brownouts on Sep 30 and Oct 28) https://developer.github.com/changes/2020-02-14-deprecating-password-auth/   I have been using an access token with the "Username with password" credential type, but I don't think this will continue to work, as the branch source plugin is still sending those credentials via basic auth: https://github.com/jenkinsci/github-branch-source-plugin/blob/9d1f48ec47eb5d44f668936d0811a6715fcc6f35/src/main/java/org/jenkinsci/plugins/github_branch_source/Connector.java#L406 https://github.com/github-api/github-api/blob/5c9474d1c891121f11ce9c31b51d42216a8e416f/src/main/java/org/kohsuke/github/GitHubClient.java#L119-L123   Is the branch source plugin currently capable of sending the credentials via the HTTP Authorization header, or will this require a code change?

          Jesse Glick added a comment -

          You can certainly use a PAT, but note that JENKINS-57351 was released which allows github-branch-source to use App authentication. Not currently available for non-multibranch use cases, though it has been proposed to push this code down into the github-api library.

          Jesse Glick added a comment - You can certainly use a PAT, but note that JENKINS-57351 was released which allows github-branch-source to use App authentication. Not currently available for non-multibranch use cases, though it has been proposed to push this code down into the github-api library.

          Liam Nichols added a comment - - edited

          jglick: I don't think using a PAT is an option right now unless I've missed something? I'm trying to configure the plugin using a user that requires 2FA and as a result my only option is to use a Personal Access Token but it's not working.

          I get the following in Jenkins when I do so:

          At first, I thought that it was an issue with my token, so I tried the following:

          $ curl 'https://{username}:{personal_access_token}@api.github.com/user'
          {
              "login": "{username}",
              ...
          }
          

          Since this worked as expected, I was confused... Then I stumbled upon this issue and tried my curl request by setting the header like the code described in the previous comments/screenshots :

          $ curl -H 'Authorization: Basic {base64("{username}:{personal_access_token}")}'  'https://api.github.com/user'
          {
            "message": "Bad credentials",
            "documentation_url": "https://developer.github.com/v3"
          }
          

          I don't have a non-2fa GitHub account to check with, but I'm assuming that using a personal access token in a Basic Authorisation header is no longer supported by GitHub? Unless I'm missing something?

          It does seem a bit odd assuming that it worked previously as it doesn't line up with GitHub's stated deprecation dates. Unless a PAT never worked? I can confirm that using Authorization: token personal_access_token in curl works as expected, but I see no way of doing this in the plugin right now?

          Liam Nichols added a comment - - edited jglick : I don't think using a PAT is an option right now unless I've missed something? I'm trying to configure the plugin using a user that requires 2FA and as a result my only option is to use a Personal Access Token but it's not working. I get the following in Jenkins when I do so: At first, I thought that it was an issue with my token, so I tried the following: $ curl 'https://{username}:{personal_access_token}@api.github.com/user' { "login" : "{username}" , ... } Since this worked as expected, I was confused... Then I stumbled upon this issue and tried my curl request by setting the header like the code described in the previous comments/screenshots : $ curl -H 'Authorization: Basic {base64( "{username}:{personal_access_token}" )}' 'https://api.github.com/user' { "message" : "Bad credentials" , "documentation_url" : "https://developer.github.com/v3" } I don't have a non-2fa GitHub account to check with, but I'm assuming that using a personal access token in a Basic Authorisation header is no longer supported by GitHub? Unless I'm missing something? It does seem a bit odd assuming that it worked previously as it doesn't line up with GitHub's stated deprecation dates. Unless a PAT never worked? I can confirm that using Authorization: token personal_access_token in curl works as expected, but I see no way of doing this in the plugin right now?

          Jesse Glick added a comment -

          liamnichols A PAT should just work, no plugin changes, no tricks, with or without 2FA enabled for the account, now or in the past. I have no idea what is wrong in your case.

          Jesse Glick added a comment - liamnichols A PAT should just work, no plugin changes, no tricks, with or without 2FA enabled for the account, now or in the past. I have no idea what is wrong in your case.

          Liam Nichols added a comment -

          Yep my bad, my credential had some trailing whitespace that went unnoticed previously as it was being escaped in other use cases but this plugin didn't escape it. I corrected the credential and all works now

          Liam Nichols added a comment - Yep my bad, my credential had some trailing whitespace that went unnoticed previously as it was being escaped in other use cases but this plugin didn't escape it. I corrected the credential and all works now

            lanwen Kirill Merkushev
            jsoref Josh Soref
            Votes:
            4 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: