Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-62220

GitHub App to support credentials with multiple organizations

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      We are trying to use same app on Jobs across orgs and is not working as we need to maintain duplicate credentials for multiple organization.

      Maintaining same credentials for multiple orgs seems duplicate to me, is there any chance we can avoid this?

      Our use case is, since it is internal (GitHub Enterprise) bot, it is pretty open and we don't even know who would invite this bot to their organization, and this bot does takes care of creating Jenkins job through DSL scripts, which is using the standard credentials. So it is very hard to keep creating credentials on the fly for every org that this bot is being invited to.

      Thanks a bunch for all the help on maintaining this awesome plugin. Let me know your thoughts please.

      Related discussion on PR: https://github.com/jenkinsci/github-branch-source-plugin/pull/290#discussion_r415168275

        Attachments

          Issue Links

            Activity

            Hide
            llibicpep Dee Kryvenko added a comment -

            I just thought of another issue related to this. Consider a pipeline that needs access to more than one org simultaneously. It might be a Go module or a Terraform module that reaching out for dependencies - nothing fancy, totally legit use case. Pipeline is not aware of what the underlying tool will try to reach, but as long as the GitHub App is authorized in all of the orgs - it should be possible to do that.
            My understanding is it's currently not and it's probably on GitHub side? What's the alternative, deprecating services and etc - it seems like GitHub Apps are the only recommended one auth type?

            Show
            llibicpep Dee Kryvenko added a comment - I just thought of another issue related to this. Consider a pipeline that needs access to more than one org simultaneously. It might be a Go module or a Terraform module that reaching out for dependencies - nothing fancy, totally legit use case. Pipeline is not aware of what the underlying tool will try to reach, but as long as the GitHub App is authorized in all of the orgs - it should be possible to do that. My understanding is it's currently not and it's probably on GitHub side? What's the alternative, deprecating services and etc - it seems like GitHub Apps are the only recommended one auth type?
            Hide
            nrayapati Naresh Rayapati added a comment - - edited

            Looks like currently GitHubAppCredentials is using app installation token, not sure of the actual/initial design notes, probably if we convert it to use the JWToken to avoid the issue reported in this JIRA. 

            Logged a new Jira for that:
            https://issues.jenkins.io/browse/JENKINS-64870 

            JWT Token vs App Installation Token
            https://github-api.kohsuke.org/githubappjwtauth.html
            https://github-api.kohsuke.org/githubappappinsttokenauth.html

            Show
            nrayapati Naresh Rayapati added a comment - - edited Looks like currently GitHubAppCredentials is using app installation token, not sure of the actual/initial design notes, probably if we convert it to use the JWToken to avoid the issue reported in this JIRA.  Logged a new Jira for that: https://issues.jenkins.io/browse/JENKINS-64870   JWT Token vs App Installation Token https://github-api.kohsuke.org/githubappjwtauth.html https://github-api.kohsuke.org/githubappappinsttokenauth.html
            Hide
            llibicpep Dee Kryvenko added a comment -

            I'm pretty sure we need support for both. Certain use cases will need it exactly the way it is currently implemented. Consider a case with 3 independent parties - end users of jenkins (owners of orgs/repos), app owner (owner of jenkins installation) and github. In certain scenarios you will want to use same GitHub app to authenticate Jenkins installation but still prevent different Jenkins end-users via their pipelines to be able to meddle with each other.

            Show
            llibicpep Dee Kryvenko added a comment - I'm pretty sure we need support for both. Certain use cases will need it exactly the way it is currently implemented. Consider a case with 3 independent parties - end users of jenkins (owners of orgs/repos), app owner (owner of jenkins installation) and github. In certain scenarios you will want to use same GitHub app to authenticate Jenkins installation but still prevent different Jenkins end-users via their pipelines to be able to meddle with each other.
            Hide
            csanchez Carlos Sanchez added a comment -

            I have started a draft PR to github-api so one app can handle multiple tokens based on the org from the URL that it is trying to access
            https://github.com/hub4j/github-api/pull/1053

            Show
            csanchez Carlos Sanchez added a comment - I have started a draft PR to github-api so one app can handle multiple tokens based on the org from the URL that it is trying to access https://github.com/hub4j/github-api/pull/1053
            Hide
            bitwiseman Liam Newman added a comment -

            My understanding is that you can only use JWT tokens for a limited set of GitHub endpoints. See https://docs.github.com/en/rest/reference/apps

            Aside from those, you'll need an App Installation token.

            Carlos Sanchez
            Guessing the org based on the URL that is being accessed seems extremely brittle to me. What is the use case where one GitHub instance (and it's related authorization provider) would need to apply to multiple organizations? At the github-api level, creating new GitHub instance for each org is not a big deal. T

            This sounds like a problem best solved at Jenkins level. It is totally reasonable to add github-api methods to make this work easier, but I think they're already there.

            Show
            bitwiseman Liam Newman added a comment - My understanding is that you can only use JWT tokens for a limited set of GitHub endpoints. See https://docs.github.com/en/rest/reference/apps Aside from those, you'll need an App Installation token. Carlos Sanchez Guessing the org based on the URL that is being accessed seems extremely brittle to me. What is the use case where one GitHub instance (and it's related authorization provider) would need to apply to multiple organizations? At the github-api level, creating new GitHub instance for each org is not a big deal. T This sounds like a problem best solved at Jenkins level. It is totally reasonable to add github-api methods to make this work easier, but I think they're already there.

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              nrayapati Naresh Rayapati
              Votes:
              3 Vote for this issue
              Watchers:
              14 Start watching this issue

                Dates

                Created:
                Updated: