Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-60480

github is deprecating basic authentication using password

    Details

    • Similar Issues:

      Description

      You recently used a password to access an endpoint through the GitHub API using okhttp/2.7.5. We will deprecate basic authentication using password to this endpoint soon:

      https://api.github.com/repositories/155774655

      We recommend using a personal access token (PAT) with the appropriate scope to access this endpoint instead. Visit https://github.com/settings/tokens for more information.

      This might be just something that admins need to deal w/, but it would be helpful if there was a migration page explaining what to do from the jenkins side.

      (it isn't particularly obvious to me)

        Attachments

          Issue Links

            Activity

            Hide
            csang Christopher Sang added a comment -

            Github is removing all support for basic auth on Nov 13, 2020 (with service brownouts on Sep 30 and Oct 28)

            https://developer.github.com/changes/2020-02-14-deprecating-password-auth/

             

            I have been using an access token with the "Username with password" credential type, but I don't think this will continue to work, as the branch source plugin is still sending those credentials via basic auth:

            https://github.com/jenkinsci/github-branch-source-plugin/blob/9d1f48ec47eb5d44f668936d0811a6715fcc6f35/src/main/java/org/jenkinsci/plugins/github_branch_source/Connector.java#L406

            https://github.com/github-api/github-api/blob/5c9474d1c891121f11ce9c31b51d42216a8e416f/src/main/java/org/kohsuke/github/GitHubClient.java#L119-L123

             

            Is the branch source plugin currently capable of sending the credentials via the HTTP Authorization header, or will this require a code change?

            Show
            csang Christopher Sang added a comment - Github is removing all support for basic auth on Nov 13, 2020 (with service brownouts on Sep 30 and Oct 28) https://developer.github.com/changes/2020-02-14-deprecating-password-auth/   I have been using an access token with the "Username with password" credential type, but I don't think this will continue to work, as the branch source plugin is still sending those credentials via basic auth: https://github.com/jenkinsci/github-branch-source-plugin/blob/9d1f48ec47eb5d44f668936d0811a6715fcc6f35/src/main/java/org/jenkinsci/plugins/github_branch_source/Connector.java#L406 https://github.com/github-api/github-api/blob/5c9474d1c891121f11ce9c31b51d42216a8e416f/src/main/java/org/kohsuke/github/GitHubClient.java#L119-L123   Is the branch source plugin currently capable of sending the credentials via the HTTP Authorization header, or will this require a code change?
            Hide
            jglick Jesse Glick added a comment -

            You can certainly use a PAT, but note that JENKINS-57351 was released which allows github-branch-source to use App authentication. Not currently available for non-multibranch use cases, though it has been proposed to push this code down into the github-api library.

            Show
            jglick Jesse Glick added a comment - You can certainly use a PAT, but note that JENKINS-57351 was released which allows github-branch-source to use App authentication. Not currently available for non-multibranch use cases, though it has been proposed to push this code down into the github-api library.
            Hide
            liamnichols Liam Nichols added a comment - - edited

            Jesse Glick: I don't think using a PAT is an option right now unless I've missed something? I'm trying to configure the plugin using a user that requires 2FA and as a result my only option is to use a Personal Access Token but it's not working.

            I get the following in Jenkins when I do so:

            At first, I thought that it was an issue with my token, so I tried the following:

            $ curl 'https://{username}:{personal_access_token}@api.github.com/user'
            {
                "login": "{username}",
                ...
            }
            

            Since this worked as expected, I was confused... Then I stumbled upon this issue and tried my curl request by setting the header like the code described in the previous comments/screenshots :

            $ curl -H 'Authorization: Basic {base64("{username}:{personal_access_token}")}'  'https://api.github.com/user'
            {
              "message": "Bad credentials",
              "documentation_url": "https://developer.github.com/v3"
            }
            

            I don't have a non-2fa GitHub account to check with, but I'm assuming that using a personal access token in a Basic Authorisation header is no longer supported by GitHub? Unless I'm missing something?

            It does seem a bit odd assuming that it worked previously as it doesn't line up with GitHub's stated deprecation dates. Unless a PAT never worked? I can confirm that using Authorization: token personal_access_token in curl works as expected, but I see no way of doing this in the plugin right now?

            Show
            liamnichols Liam Nichols added a comment - - edited Jesse Glick : I don't think using a PAT is an option right now unless I've missed something? I'm trying to configure the plugin using a user that requires 2FA and as a result my only option is to use a Personal Access Token but it's not working. I get the following in Jenkins when I do so: At first, I thought that it was an issue with my token, so I tried the following: $ curl 'https://{username}:{personal_access_token}@api.github.com/user' { "login" : "{username}" , ... } Since this worked as expected, I was confused... Then I stumbled upon this issue and tried my curl request by setting the header like the code described in the previous comments/screenshots : $ curl -H 'Authorization: Basic {base64( "{username}:{personal_access_token}" )}' 'https://api.github.com/user' { "message" : "Bad credentials" , "documentation_url" : "https://developer.github.com/v3" } I don't have a non-2fa GitHub account to check with, but I'm assuming that using a personal access token in a Basic Authorisation header is no longer supported by GitHub? Unless I'm missing something? It does seem a bit odd assuming that it worked previously as it doesn't line up with GitHub's stated deprecation dates. Unless a PAT never worked? I can confirm that using Authorization: token personal_access_token in curl works as expected, but I see no way of doing this in the plugin right now?
            Hide
            jglick Jesse Glick added a comment -

            Liam Nichols A PAT should just work, no plugin changes, no tricks, with or without 2FA enabled for the account, now or in the past. I have no idea what is wrong in your case.

            Show
            jglick Jesse Glick added a comment - Liam Nichols A PAT should just work, no plugin changes, no tricks, with or without 2FA enabled for the account, now or in the past. I have no idea what is wrong in your case.
            Hide
            liamnichols Liam Nichols added a comment -

            Yep my bad, my credential had some trailing whitespace that went unnoticed previously as it was being escaped in other use cases but this plugin didn't escape it. I corrected the credential and all works now

            Show
            liamnichols Liam Nichols added a comment - Yep my bad, my credential had some trailing whitespace that went unnoticed previously as it was being escaped in other use cases but this plugin didn't escape it. I corrected the credential and all works now

              People

              • Assignee:
                lanwen Kirill Merkushev
                Reporter:
                jsoref Josh Soref
              • Votes:
                4 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated: