Comments (5)
I agree with what @gmlewis is saying, but it would still be interesting to explore this idea as a whole. Then we can see if there is a way to make it work that is feasible to maintain.
@ashi009 I'm especially curious to see your ideas of making it easier to switch between creds. Do you have suggestions of what the API changes would look like?
As somebody who occasionally uses app and installation authentication, one thing I struggle with is keeping track of which endpoints require which creds. I have a rough idea that this could be improved, but I haven't proposed anything. I only occasionally dabble in apps so I feel like I don't have a full understanding of the problem.
from go-github.
Many of the apis requires to be invoked as Github App, eg. https://docs.github.com/en/rest/checks/runs?apiVersion=2022-11-28. And currently we need to use third-party packages like ghinstallation to do so.
However, this is not the full story. When creating a Github App, it involves many different kinds of creds:
And we need to use different cred to call different APIs. For now, the only way to do so is to create many different
github.Client
s, each holding a different credential.And we need to do this with extra care, as all these token are short-lived, and need to be cached/refreshed periodically. Which means, blindly creating those clients will cause lots of rate limiting issues.
For instance, to use
github.ChecksService
, we need:
- Auth as Github App itself by creating a JWT with app's private key, to call
github.AppServiceCreateInstallationToken
- Once we have the token, we can auth as app installation, then calling
github.ChecksService
Which requires 2
github.Client
s in total.
Hello @ashi009 I faced the same situation and I created a similar issue #3178.
Thread discussion with @gmlewis led to creating a new package to handle this functionality. https://github.com/jferrl/go-githubauth. Just take a look, its compatible with golang.org/x/oauth2 oauth2.TokenSource
and could be used with oauth2.ReuseTokenSource
to handle token refreshing.
from go-github.
I don't quite understand what is being proposed here. Is it the idea of handling auth in go-github itself to save from having to bring in third party dependencies or is it something bigger that looks at the endpoint being called and chooses the right kind of authentication to use?
from go-github.
Both.
- bring in the code for generating the app JWT and auto refresh installation token, which is like less than 100 lines of code if use "github.com/golang-jwt/jwt/v5" and "golang.org/x/oauth2"
- make some change to the API to allow switching between creds more easily
from go-github.
Hmmm... one of the things we try hard to do in this repo is keep the dependencies to an absolute minimum.
I'm not sure that we really want to pull in JWT manipulation code as a dependency here.
I'm fine with adding examples that pull in those dependencies, but not as helpers in the main repo if we can avoid it.
In fact, this exact conversation is how the ghinstallation
repo was originally started as an external helper repo.
If you want that kind of functionality, we prefer that it is implemented in an external repo and we are happy to point to it from this repo as an example of usage.
from go-github.
Related Issues (20)
- Changing custom properties HOT 5
- Update deprecated endpoints in github/action_variables.go HOT 4
- `omitempty` tag on `InstallationAccessTokenOptions.Repositories` masking functionality of GitHub API HOT 11
- `NewTeam` missing `notification_setting` field HOT 1
- feat: Add an option to wait for primary rate limit reset and retry instead of erroring out HOT 7
- Username is required when using fine-grained vs classic PAT (personal access token) for PlainClone operation
- LIst of issue comments do not collect the comment which was added during the creation of the PR. HOT 6
- Use enums for the action field in GitHub Webhooks HOT 4
- Can't remove repository ruleset's every Bypass Actors because of serialization issue HOT 4
- Support new REST API endpoint that evaluates if private vulnerability reporting is enabled HOT 4
- Webhook MemberEvent Type is Missing Changes Object
- Bug: Issues.ListByRepo Repository field is always `nil` HOT 5
- `ListRunnersOption` change omits consideration of Enterprise Runner HOT 4
- Add support for CommitID, InReplyTo, and SubjectType to DraftReviewComment HOT 1
- Support for merge queues. HOT 3
- Bug: GetArchiveLink returns a status code 200, not 302, when link is requested with an installation token rather than personal/bearer token HOT 3
- WorkflowRun struct does not include `path` property HOT 1
- Proposal: Add GitHub App Token and Installation Token Source Functionality HOT 6
- GetEnterpriseRunner method appears to be missing HOT 1
- RepositoryPermissionLevel is missing role_name
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-github.