[JIRA] (JENKINS-60480) github is deprecating basic authentication using password

2 views
Skip to first unread message

jsoref+jenkins@gmail.com (JIRA)

unread,
Dec 13, 2019, 3:28:05 PM12/13/19
to jenkinsc...@googlegroups.com
Josh Soref created an issue
 
Jenkins / New Feature JENKINS-60480
github is deprecating basic authentication using password
Issue Type: New Feature New Feature
Assignee: Kirill Merkushev
Components: github-api-plugin, github-branch-source-plugin, github-plugin
Created: 2019-12-13 20:27
Priority: Minor Minor
Reporter: Josh Soref

You recently used a password to access an endpoint through the GitHub API using okhttp/2.7.5. We will deprecate basic authentication using password to this endpoint soon:

https://api.github.com/repositories/155774655

We recommend using a personal access token (PAT) with the appropriate scope to access this endpoint instead. Visit https://github.com/settings/tokens for more information.

This might be just something that admins need to deal w/, but it would be helpful if there was a migration page explaining what to do from the jenkins side.

(it isn't particularly obvious to me)
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

carlos@jenkins.co.cr (JIRA)

unread,
Dec 18, 2019, 5:28:02 PM12/18/19
to jenkinsc...@googlegroups.com
Carlos Jenkins updated an issue
Change By: Carlos Jenkins
Attachment: image-2019-12-18-16-27-49-854.png

carlos@jenkins.co.cr (JIRA)

unread,
Dec 18, 2019, 5:30:02 PM12/18/19
to jenkinsc...@googlegroups.com
Carlos Jenkins updated an issue
Change By: Carlos Jenkins
Attachment: image-2019-12-18-16-29-44-602.png

carlos@jenkins.co.cr (JIRA)

unread,
Dec 18, 2019, 5:43:02 PM12/18/19
to jenkinsc...@googlegroups.com
Carlos Jenkins commented on New Feature JENKINS-60480
 
Re: github is deprecating basic authentication using password

Hi,

I got the same email for two of my Jenkins deployments. That's how I got here

In particular the GitHub Branch Source Plugin only supports using username and password, so the functionality provided by that plugin may break when the deprecation takes place.

Current code of the GitHub Branch Source Plugin shows:

https://github.com/jenkinsci/github-branch-source-plugin/blob/23c8a226eef074da7b87bc4b629f6a9f75bf4766/src/main/java/org/jenkinsci/plugins/github_branch_source/Connector.java#L339

 

Looking at what PyGitHub does (project that I use with tokens to automate some things):

https://github.com/PyGithub/PyGithub/blob/baddb7193f24fc988def1ead53876024be6066e0/github/Requester.py#L278

 

 

It looks like GitHub supports passing token in the Authorization header. So, in theory, the GitHub Branch Source Plugin could use a "Secret Text" type secret with the token an pass it down in the Authorization header.

Its interesting to note that the GitHub Plugin already supports (actually only supports) using access tokens. So, in my Jenkins deployment I have to have two secrets:

  • A "Username with password" type for GitHub Branch Source Plugin, and
  • A "Secret text" for the GitHub plugin.

 

 

mark.earl.waite@gmail.com (JIRA)

unread,
Dec 18, 2019, 6:51:02 PM12/18/19
to jenkinsc...@googlegroups.com

Isn't that message saying that you can continue to use basic auth so long as instead of using your actual password you use a personal access token. Generate a personal access token from the GitHub "Settings" page and store that personal access token in the Jenkins username / password credential as the password. Place your username as the username. Check that it works. It has been working that way for me.

jsoref+jenkins@gmail.com (JIRA)

unread,
Dec 18, 2019, 6:55:02 PM12/18/19
to jenkinsc...@googlegroups.com

Mark Waite: Do you know what permissions we should give it in https://github.com/settings/tokens/new?

My ticket isn't claiming that work necessarily needs to be done in the plugin, just that a "what to do" should be published. (Although, probably it's best for the plugin to just guide people through the process since it seems like it'd be pretty easy for it to do that and remember "this token is good" or something.)

mark.earl.waite@gmail.com (JIRA)

unread,
Dec 18, 2019, 6:58:02 PM12/18/19
to jenkinsc...@googlegroups.com

Repository read should be enough Josh Soref, unless your job is pushing changes back to the server.

jsoref+jenkins@gmail.com (JIRA)

unread,
Dec 18, 2019, 6:59:03 PM12/18/19
to jenkinsc...@googlegroups.com

Also, a quick look at my jenkins /credentials/store/system/domain/_/ shows that the account currently has a token with repo which was Last used within the last week according to github, and yet, I'm still getting warnings.

mark.earl.waite@gmail.com (JIRA)

unread,
Dec 18, 2019, 6:59:03 PM12/18/19
to jenkinsc...@googlegroups.com
Mark Waite edited a comment on New Feature JENKINS-60480
Repository read should be enough [~jsoref], unless your job is pushing changes back to the server.

mark.earl.waite@gmail.com (JIRA)

unread,
Dec 18, 2019, 7:01:02 PM12/18/19
to jenkinsc...@googlegroups.com
Mark Waite edited a comment on New Feature JENKINS-60480
Repository read should be enough [~jsoref], unless your job is pushing changes back to the server.


I think we should document the credential choices as part of a larger picture of ways to use Jenkins most effectively with git.  When using GitHub, prefer username and a personal access tokens rather than username and password.  Same advice would apply to Bitbucket, Gitlab, Gitea, Team Foundation Server, and more.

mark.earl.waite@gmail.com (JIRA)

unread,
Dec 18, 2019, 7:03:03 PM12/18/19
to jenkinsc...@googlegroups.com

Maybe you're using the actual password from another location or through a different credential? I've not received any warnings from GitHub for my https repository access. I'll continue watching my mailbox in case it arrives.

jsoref+jenkins@gmail.com (JIRA)

unread,
Dec 18, 2019, 7:26:01 PM12/18/19
to jenkinsc...@googlegroups.com

Ok, for us, there were apparently two items. I've switched things over to the other one. Hopefully that will make the alert go away.

But this experience was painful.

One thing that would help immensely is the ability to search for credentials whose password matches an entered value. Expected results should only include passwords the searching user is allowed to use. Had I been able to do that, I could have quickly identified the problem.

jsoref+jenkins@gmail.com (JIRA)

unread,
Dec 18, 2019, 8:03:03 PM12/18/19
to jenkinsc...@googlegroups.com
Josh Soref edited a comment on New Feature JENKINS-60480
Ok, for us, there were apparently two items. I've switched things over to the other one. Hopefully that will make the alert go away.

But this experience was painful.

One thing that would help immensely is the ability to search for credentials whose password matches an entered value. Expected results should only include passwords the searching user is allowed to use. Had I been able to do that, I could have quickly identified the problem.


Fwiw, the best I've managed is:
{code:java}
admin:org, admin:public_key, admin:repo_hook, read:user, repo {code}
We had credentials of:
{code:java}
repo {code}
{code:java}
admin:repo_hook, repo {code}
But they weren't sufficient for us.

albert@xenomedia.com (JIRA)

unread,
Feb 4, 2020, 12:01:03 PM2/4/20
to jenkinsc...@googlegroups.com

Mark Waite I did the following:

  • Created personal token in Github
  • Created credentials in Jenkins: username is username and password is the Github token
  • Now I navigate to Manage Jenkins -> Configure System -> Github
  • Under credentials, I don't see the new credentials I created in one of the previous steps (I'm guessing because it was username and password and it only shows items with keys only)

Also, I did try:

  • Advance -> Manage Additional Github Actions -> Convert login and password to token
  • When I create the token from the credentials I get the following error: 
    Can't create GH token - {"message":"This API can only be accessed with username and password Basic Auth","documentation_url":"https://developer.github.com/v3"}
  • When I create token from login and password (username = username, password = token) I get: 
    Can't create GH token for xenomedia-deploy - {"message":"This API can only be accessed with username and password Basic Auth","documentation_url":"https://developer.github.com/v3"}
  • When I create token from login and password (actual username and password) 
    Can't create GH token for username - null

Any idea what I am doing wrong? You mentioned that this was working for you?

albert@xenomedia.com (JIRA)

unread,
Feb 4, 2020, 12:10:03 PM2/4/20
to jenkinsc...@googlegroups.com
Albert Jankowski edited a comment on New Feature JENKINS-60480
[~markewaite] I did the following:
- Created personal token in Github
- Created credentials in Jenkins: username is username and password is the Github token
- Now I navigate to Manage Jenkins -> Configure System -> Github
- Under credentials, I don't see the new credentials I created in one of the previous steps (I'm guessing because it was username and password and it only shows items with keys only)

Also, I did try:
- Advance -> Manage Additional Github Actions -> Convert login and password to token
- When I create the token from the credentials I get the following error:
{code:java}

Can't create GH token - {"message":"This API can only be accessed with username and password Basic Auth","documentation_url":"https://developer.github.com/v3"}
{code}
- When I create token from login and password (username = username, password = token) I get:
{code:java}

Can't create GH token for xenomedia-deploy - {"message":"This API can only be accessed with username and password Basic Auth","documentation_url":"https://developer.github.com/v3"}
{code}
- When I create token from login and password (actual username and password)
{code:java}

Can't create GH token for username - null
{code}

Any idea what I am doing wrong? You mentioned that this was working for you ? .

mark.earl.waite@gmail.com (JIRA)

unread,
Feb 4, 2020, 1:41:02 PM2/4/20
to jenkinsc...@googlegroups.com

Albert Jankowski the technique that works on my Jenkins server is to use the GitHub personal access token to define a `Secret text` credential, then use that in the `Manage Jenkins` -> `GitHub` section. I was personally surprised when that worked, since I've been conditioned to use one of two types of credentials to interact with GitHub, either private key (for ssh protocol) or username/password (for https). Secret text is a third type and that "Manage Jenkins" field for GitHub is the only place where I've used it as far as I remember.

mark.earl.waite@gmail.com (JIRA)

unread,
Feb 4, 2020, 1:42:03 PM2/4/20
to jenkinsc...@googlegroups.com
Mark Waite edited a comment on New Feature JENKINS-60480
[~albertski] the technique that works on my Jenkins server is to use the GitHub personal access token to define a ` {{ Secret text ` }} credential, then use that in the ` {{ Manage Jenkins ` }} -> ` {{ GitHub ` }} section.  I was personally surprised when that worked, since I've been conditioned to use one of two types of credentials to interact with GitHub, either private key (for ssh protocol) or username/password (for https).  Secret text is a third type and that "Manage Jenkins" field for GitHub is the only place where I've used it as far as I remember.

albert@xenomedia.com (JIRA)

unread,
Feb 4, 2020, 2:23:03 PM2/4/20
to jenkinsc...@googlegroups.com

Thanks Mark Waite. Adding just the personal access token as Secret Text did work. I'll see if I get an alert of deprecated authentication.

christopher@narrativ.com (JIRA)

unread,
Apr 16, 2020, 12:32:05 PM4/16/20
to jenkinsc...@googlegroups.com

Github is removing all support for basic auth on Nov 13, 2020 (with service brownouts on Sep 30 and Oct 28)

https://developer.github.com/changes/2020-02-14-deprecating-password-auth/

 

I have been using an access token with the "Username with password" credential type, but I don't think this will continue to work, as the branch source plugin is still sending those credentials via basic auth:

https://github.com/jenkinsci/github-branch-source-plugin/blob/9d1f48ec47eb5d44f668936d0811a6715fcc6f35/src/main/java/org/jenkinsci/plugins/github_branch_source/Connector.java#L406

https://github.com/github-api/github-api/blob/5c9474d1c891121f11ce9c31b51d42216a8e416f/src/main/java/org/kohsuke/github/GitHubClient.java#L119-L123

 

Is the branch source plugin currently capable of sending the credentials via the HTTP Authorization header, or will this require a code change?
This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)
Atlassian logo

jglick@cloudbees.com (JIRA)

unread,
Apr 29, 2020, 11:48:04 AM4/29/20
to jenkinsc...@googlegroups.com

You can certainly use a PAT, but note that JENKINS-57351 was released which allows github-branch-source to use App authentication. Not currently available for non-multibranch use cases, though it has been proposed to push this code down into the github-api library.
Reply all
Reply to author
Forward
0 new messages