Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

github sending alert emails that they will disallow access tokens in the URL query string

See original GitHub issue

Hi there -

Very few hits on google for this and I think this is all new. Github is sending these emails:

[GitHub API] Deprecation notice for authentication via URL query parameter

Hi @sqla-tester,

On February 3rd, 2020 at 23:36 (UTC) your application (sqlalchemy-gerrit) used an access token (with the User-Agent Java/1.8.0_212) as part of a query parameter to access an endpoint through the GitHub API:

https://api.github.com/user

Please use the Authorization HTTP header instead as using the access_token query parameter is deprecated.

Depending on your API usage, we’ll be sending you this email reminder once every 3 days for each token and User-Agent used in API calls made on your behalf. Just one URL that was accessed with a token and User-Agent combination will be listed in the email reminder, not all.

Visit https://developer.github.com/changes/2019-11-05-deprecated-passwords-and-authorizations-api/#authenticating-using-query-parameters for more information.

The gerrit oauth provider accesses the https://api.github.com/user URL right here: https://github.com/davido/gerrit-oauth-provider/blob/0f807f680d3b204e0d376b473d8a84076a67f138/src/main/java/com/googlesource/gerrit/plugins/oauth/GitHubOAuthService.java#L79


  public OAuthUserInfo getUserInfo(OAuthToken token) throws IOException {
    OAuthRequest request = new OAuthRequest(Verb.GET, PROTECTED_RESOURCE_URL);
    Token t = new Token(token.getToken(), token.getSecret(), token.getRaw());
    service.signRequest(t, request);
    Response response = request.send();

and I believe the access_token is hardwired to be in the query string assuming the scribe library in use is here: https://github.com/dsyer/scribe-java/blob/master/src/main/java/org/scribe/oauth/OAuth20ServiceImpl.java#L59


 public void signRequest(Token accessToken, OAuthRequest request)
  {
    request.addQuerystringParameter(OAuthConstants.ACCESS_TOKEN, accessToken.getToken());
  }

I apologize if I’m getting this all wrong, I have a lot of github / gerrit integration going on but I wrote all of it in Python and it’s using access_token in the headers; the oauth plugin is the only tool I have installed in my gerrit server that would report Java as the user agent,the api.github.com/user URL hardwired in the oauth plugin here and the behavior of “scribe” would seem to be the source of the issue. It just seems surprising to me that nobody has reported this yet!

Issue Analytics

State:
Created 4 years ago
Reactions:1
Comments:33 (16 by maintainers)

Top GitHub Comments

1reaction

davidocommented, Feb 22, 2020

All changes were merged. New plugin release based on Gerrit 3.1.3 plugin API is here: [1].

For other releases, please consult GeritForge-CI, e.g. for 2.16 branch: [2].

[1] https://github.com/davido/gerrit-oauth-provider/releases/tag/v3.1.3 [2] https://gerrit-ci.gerritforge.com/job/plugin-oauth-bazel-stable-2.16

0reactions

davidocommented, Feb 20, 2020

sorry to keep adding to the bother here but the jar file at https://gerrit-ci.gerritforge.com/job/plugin-oauth-bazel-stable-2.16/ is not updated yet, right?

Right. The changes linked in my previous comment are not merged yet.