Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Support authenticating as a GitHub App with user access/refresh tokens #113

Open
object-Object opened this issue Jun 29, 2024 · 3 comments
Open

Feature: Support authenticating as a GitHub App with user access/refresh tokens #113

object-Object opened this issue Jun 29, 2024 · 3 comments

Comments

@object-Object
Copy link

object-Object commented Jun 29, 2024
edited
Loading

I'm writing an application that uses an expiring user access token to authenticate a GitHub App on behalf of a user. This process uses the OAuth web flow to generate an access token and refresh token; these are valid for 8 hours and 6 months, respectively. I want to store the access and refresh tokens so that users don't have to log in each time they use the app.

I see that githubkit has OAuthWebAuthStrategy, which is useful for the initial login; however, it seems like the access and refresh tokens are stored in private variables in OAuthWebAuth, and I don't see an obvious public way to access them or to force it to fetch them. I also couldn't find an AuthStrategy that takes an access or refresh token as the input.

Ideally, this is the sort of code I would like to be able to write:

# initial login
github = GitHub(OAuthWebAuthStrategy(client_id, client_secret, code))
access_token, refresh_token = github.get_app_user_access_token()

# subsequent usages
github = GitHub(AppUserAuthStrategy(client_id, client_secret, access_token, refresh_token))

GitHub app user auth flow docs:

https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app#using-the-web-application-flow-to-generate-a-user-access-token

For comparison, here's how PyGithub's app user authentication works:

https://pygithub.readthedocs.io/en/stable/examples/Authentication.html#app-user-authentication
@yanyongyu
Copy link
Owner

Actually, the github app user access auth flow is a oauth workflow. Currently, you can do this as examples here:

from githubkit import GitHub

# auth as github app itself
g = GitHub(AppAuthStrategy(app_id, private_key, client_id, client_secret))

# switch to app user auth
user_github = g.with_auth(g.as_oauth_app().as_web_user(code))

@object-Object
Copy link
Author

object-Object commented Jun 29, 2024
edited
Loading

Right, but I don't have code anymore after the first login. Sorry, I think the example I gave maybe wasn't very good.

User logs into the app:

# initial login
github = GitHub(OAuthWebAuthStrategy(client_id, client_secret, code))
access_token, refresh_token = github.get_app_user_access_token()

write_tokens_to_database(user_id, access_token, refresh_token)

Later, maybe the next day and in a different part of the app, user uses the app without having to go through the OAuth web flow again:

# subsequent usages
access_token, refresh_token = read_tokens_from_database(user_id)

github = GitHub(AppUserAuthStrategy(client_id, client_secret, access_token, refresh_token))

So I think I wouldn't be able to use .as_web_user(code) for the second one, because I don't have code at that point, only the tokens I exchanged it for.

@yanyongyu
Copy link
Owner

I see... It seems i need to add a simple (token, expire token) auth strategy for oauth app. I'm also developping a github app and i disable the token expire for the user token 😂. I can use the simple token auth strategy for stored user token.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@object-Object @yanyongyu