Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65006

Couldn't authenticate with GitHub app ID when app is installed in 2+ organizations

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Labels:
      None
    • Environment:
      GitHub Enterprise 2.22.6
      github-branch-source-plugin 2.10.2 and 8093b3d
    • Similar Issues:

      Description

      GitHub app authentication was working fine until the app was installed to a second organization. Then as tokens expired Jenkins started throwing errors

      java.lang.IllegalArgumentException: Couldn't authenticate with GitHub app ID <REDACTED>, has it been installed to your GitHub organisation / user?
      	at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.lambda$generateAppInstallationToken$1(GitHubAppCredentials.java:216)
      	at java.util.Optional.orElseThrow(Optional.java:290)
      	at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.generateAppInstallationToken(GitHubAppCredentials.java:216)
      	at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.getToken(GitHubAppCredentials.java:269)
      	at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.access$300(GitHubAppCredentials.java:47)
      	at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials$CredentialsTokenProvider.getEncodedAuthorization(GitHubAppCredentials.java:183)
      	at org.kohsuke.github.GitHubClient.getEncodedAuthorization(GitHubClient.java:219)
      	at org.kohsuke.github.GitHubHttpUrlConnectionClient$HttpURLConnectionResponseInfo.setupConnection(GitHubHttpUrlConnectionClient.java:113)
      	at org.kohsuke.github.GitHubHttpUrlConnectionClient.getResponseInfo(GitHubHttpUrlConnectionClient.java:56)
      	at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:394)
      	at org.kohsuke.github.GitHubClient.getRateLimit(GitHubClient.java:232)
      	at org.kohsuke.github.GitHubClient.rateLimit(GitHubClient.java:283)
      	at org.kohsuke.github.GitHubRateLimitChecker.checkRateLimit(GitHubRateLimitChecker.java:122)
      	at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:392)
      	at org.kohsuke.github.GitHubClient.fetch(GitHubClient.java:129)
      	at org.kohsuke.github.GitHubClient.checkApiUrlValidity(GitHubClient.java:325)
      	at org.kohsuke.github.GitHub.checkApiUrlValidity(GitHub.java:1195)
      	at org.jenkinsci.plugins.github_branch_source.Connector$GitHubConnection.verifyConnection(Connector.java:678)
      	at org.jenkinsci.plugins.github_branch_source.Connector$GitHubConnection.connect(Connector.java:635)
      	at org.jenkinsci.plugins.github_branch_source.Connector$GitHubConnection.access$200(Connector.java:589)
      	at org.jenkinsci.plugins.github_branch_source.Connector.connect(Connector.java:361)
      	at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.retrieveActions(GitHubSCMSource.java:1880)
      	at jenkins.scm.api.SCMSource.fetchActions(SCMSource.java:848)
      	at jenkins.branch.MultiBranchProject.computeChildren(MultiBranchProject.java:598)
      	at com.cloudbees.hudson.plugins.folder.computed.ComputedFolder.updateChildren(ComputedFolder.java:278)
      	at com.cloudbees.hudson.plugins.folder.computed.FolderComputation.run(FolderComputation.java:165)
      	at jenkins.branch.MultiBranchProject$BranchIndexing.run(MultiBranchProject.java:1032)
      	at hudson.model.ResourceController.execute(ResourceController.java:97)
      	at hudson.model.Executor.run(Executor.java:429)
      
      

        Attachments

          Issue Links

            Activity

            Hide
            csanchez Carlos Sanchez added a comment -

            FTR The owner is set in the Advanced section of credentials, which also makes it really hard to see, given that it is mandatory when using 2+ organizations

            Show
            csanchez Carlos Sanchez added a comment - FTR The owner is set in the Advanced section of credentials, which also makes it really hard to see, given that it is mandatory when using 2+ organizations
            Show
            csanchez Carlos Sanchez added a comment - PR for better error at https://github.com/jenkinsci/github-branch-source-plugin/pull/399
            Hide
            csanchez Carlos Sanchez added a comment -

            I can workaround this by creating two credentials for the same app with different owners (one for each organization) but that looks like a totally unnecessary duplication.

            Show
            csanchez Carlos Sanchez added a comment - I can workaround this by creating two credentials for the same app with different owners (one for each organization) but that looks like a totally unnecessary duplication.
            Hide
            csanchez Carlos Sanchez added a comment -

            The problem is that once there are 2+ installations of the app Jenkins starts checking that the Credential owner field (which defaults to null) matches the GitHub organization, and so none of the appInstallations match

            https://github.com/jenkinsci/github-branch-source-plugin/blob/b4206a9/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java#L210-L218

            Show
            csanchez Carlos Sanchez added a comment - The problem is that once there are 2+ installations of the app Jenkins starts checking that the Credential owner field (which defaults to null) matches the GitHub organization, and so none of the appInstallations match https://github.com/jenkinsci/github-branch-source-plugin/blob/b4206a9/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java#L210-L218

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              csanchez Carlos Sanchez
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: