I have been using Git Plugin in Jenkins to pull the source code from the GitHub repository.
I have been using UserName and Password for authentication
However, GitHub has announced
Deprecation Notice: GitHub will discontinue password authentication to
the API. You must now authenticate to the GitHub API with an API
token, such as an OAuth access token, GitHub App installation access
token, or personal access token, depending on what you need to do with
the token
So i need to change the authentication to use oAuth token.
1> I have created a oAuth token in GitHub
2> Then in Jenkins i created Secret Text as Global Credentials. (using the GitHub's oAuth token)
3> However, when i goto job configuration, the Git Plug-In does not show any credentials in the DropDownList whose type is secret text ( it shows all other credentials though)
How do i configure Git Pug-in to use oAuth token?
Check first if you have the github-oauth Jenkins plugin installed, as described in "Use the Jenkins OAuth plug-in to securely pull from GitHub", from Walker Rowe.
That would allow to register your Jenkins server as an application which can then access GitHub resources:
Stick with the "Username with Password" credential type, created with a token (usually a Personal Access Token) in place of the password.
The GitHub docs you linked to mention this type of use case specifically:
curl -u username:token https://api.github.com/user
This approach is useful if your tools only support Basic Authentication but you want to take advantage of OAuth access token security features.
The Git Plugin doesn't accept a SecretText credential because it wouldn't know what to do with it. While it isn't limited to Basic Auth only (it supports SSH, after all), it doesn't know what to do with just an OAuth token.
Fortunately, GitHub has provided a work around for this exact type of use case, by allowing you to pass a token (virtually) anywhere you would otherwise use a password.
Using this method allows you to take advantage of the security features of tokens, such as per-token scopes, without having to retro-fit your existing tooling.
Another approach is to take advantage of the GitHub App authentication support
It is released in April 2020 with GitHub Branch Source 2.7.0-beta1 which is available in the Jenkins experimental update center.
Why authenticate as a GitHub app?
Larger rate limits - The rate limit for a GitHub app scales with your organization size, whereas a user based token has a limit of 5000 regardless of how many repositories you have.
User-independent authentication - Each GitHub app has its own user-independent authentication.
No more need for 'bot' users or figuring out who should be the owner of 2FA or OAuth tokens.
Improved security and tighter permissions - GitHub Apps offer much finer-grained permissions compared to a service user and its personal access tokens.
This lets the Jenkins GitHub app require a much smaller set of privileges to run properly.
Access to GitHub Checks API - GitHub Apps can access the the GitHub Checks API to create check runs and check suites from Jenkins jobs and provide detailed feedback on commits as well as code annotation
And:
In addition to usage of GitHub App authentication for Multi-Branch Pipeline, you can also use app authentication directly in your Pipelines.
You can access the Bearer token for the GitHub API by just loading a 'Username/Password' credential as usual, the plugin will handle authenticating with GitHub in the background.
This answer describes the entire process of setting up OAuth with Github in Jenkins: https://stackoverflow.com/a/61995795/9962007
Related
I have an API that's protected by Auth0.
I want my users to have CLI access to this API as well. I was considering using the one-time password flow initially when the developer signs in to the CLI to request a refresh token, and then persist this on the disk for future use.
But this just feels wrong. Is there any other more secure approach?
The CLI might be used on build servers etc, so I guess it has to be a permanent token that lasts forever.
While we're at it, what do other APIs do, for instance GitHub when I request a Personal Access Token? Is that the same?
Did you check this? https://auth0.com/docs/flows/guides/device-auth/call-api-device-auth.
By using this flow on a CLI the user will login interactively through a browser and then will enter a code in the CLI. This will give you back an access token and a refresh token. You could use the refresh token in your CI process to obtain new tokens on every build (or whenever the AT expired).
I want to make an alert system on Apigee that will automatically send alerts to Slack, without the need for human interference.
However, the only OAuth flow for Slack I found on their api site seems to require a user to manually input their credentials: https://api.slack.com/docs/oauth
How can I automate getting an access token from Slack, so without having to manually input credentials?
I think you may have misunderstood the concept of Oauth. The way it is supposed to work is, that you run the process only once per Slack team (usually while installing the Slack app to your Slack team) and then store the access token you received for future reference (e.g. in a database). So whenever your Slack app needs the access token after installation it can always reuse the one it received during installation.
If you don't require any scripts to run for installation and you only need the access token you can also install your Slack app directly from Slack (under "Your Apps") and then copy and paste the resulting access token to your app configuration. Check this documentation for further information.
If you are generating webhooks on the fly, it requires OAuth 2.0 each time. However, if you use the Web API chat.postMessage method, it only requires the token (under the OAuth & Permissions section) to make a HTTP POST request to send a notification.
My team writes a monitoring system which we have recently migrated the definitions of our monitoring into a git repo. These definitions are comprised of some json and powershell files. VSCode is an ideal scenario for editing and dealing with git. The problem is while developing the monitoring it is nice to be able to execute it against a test environment. Previously all editing was done through a web interface and we allowed ad hoc execution of the powershell against test machines through an API which is secured with AzureAD and OAuth2.0.
VS Code extensions don't have access to the full electron api and you are restricted from creating a BrowserWindow to handle the usual OAuth redirect flow. Is there a way to work around this limitation and allow a user to auth to our api so that we can make calls to it?
Any ideas or possible workarounds would be awesome.
One thing you can do is to use Server to Server via Client Credentials authentication method. There is node npm library here.
You will need to first register your VS code extension into Azure AD via Azure Portal.
The downside of this method is the credential passed to the Web API won't be user's credential but rather same extension specific credentials. But it would be OK in case you don't need VS code user's identity.
The supported way to get a user token for an application that doesn't have the ability to open a Web Browser to auth is the "OAuth Device Flow". Here is a link to a blog about how to implement it with AAD.
https://joonasw.net/view/device-code-flow
You need to host a localhost webserver inside your extension, when you're doing the auth and then pass localhost:port as the redirect URI for the oauth login flow.
I want to use the bitbucket pull request plugin with jenkins. It works great without two factor authentication. But with two factor authentication enabled it does not work.
Has anybody got it to work with TFA enabled, or is this just not supported?
If you're using 2FA in Bitbucket Cloud, you'll need to change the repository configuration in Jenkins to use App Passwords. If Jenkins is currently checking out using your account password, 2FA will prevent that by definition, but if you configure the repo with an app password it should all just work.
I am prototyping HipChat client and I'm stuck at building good authentication experience. I would like to implement similar authentication dialog as HipChat clients built by Atlassian provide. There is no need to generate auth tokens/etc, you just type email/password and client is able to obtain oauth token.
How do they do? Clients use com.atlassian.hipchat.win-clients as client_name in request to https://www.hipchat.com/users/authorize.
Question that I have: how do I register my own client? If I use any random name I get "Named OAuthClient not found ".
How to register client name that will work with any HipChat server, including hipchat.com?
Updated:
I made an example. Please take a look.
https://github.com/chenghuang-mdsol/StandupCat
#VitaliyGanzha
There's a way I used: Build an auth provider based on the integration token.
Make an integration, take down the auth_token.
Use this auth_token on the api here: https://www.hipchat.com/docs/apiv2/method/generate_token
use grant_type 'password', and fill username and password in your post request.
It will return the user info.
Based on the user info it returned, you do your membership provider.
Note that this auth_token has very limited permission. If you want to do more than authentication, you need another personal auth_token which can be generated in your account center.
Tested in C# WCF
Here I've got an answer that it is not possible right now:
This is currently not possible. The flow you described with the
com.atlassian.hipchat.win-clients oauth id is used internally inside
our new desktop and mobile clients. The only other way to obtain an
access token via a 3-legged oauth flow is to create an add-on that you
have to require a HipChat customer to install. Our OAuth tokens are
scoped by group. We don't have allow global tokens. Sorry about that.
https://answers.atlassian.com/questions/32989448/writing-hipchat-client-hipchat-authentication