Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

github provider should use Authorization header instead #2457

Closed
alee opened this issue Feb 4, 2020 · 2 comments · Fixed by #2458
Closed

github provider should use Authorization header instead #2457

alee opened this issue Feb 4, 2020 · 2 comments · Fixed by #2458

Comments

@alee
Copy link
Contributor

alee commented Feb 4, 2020

GitHub is deprecating their query parameter access token based authentication in favor of setting an Authorization: header in the request. I think this should be a fairly simple change to the GitHub provider and adding the header to the requests.get() call. Happy to submit a PR for this but I'm not sure if there's anything else needed..

https://developer.github.com/changes/2019-11-05-deprecated-passwords-and-authorizations-api/#authenticating-using-query-parameters
@chouseknecht chouseknecht mentioned this issue Feb 4, 2020
Open
2 tasks
@peterbe
Copy link

peterbe commented Feb 4, 2020

I suspect that

django-allauth/allauth/socialaccount/providers/github/views.py

Line 30 in 5b9b855

resp = requests.get(self.profile_url, params=params)
and

django-allauth/allauth/socialaccount/providers/github/views.py

Line 42 in 5b9b855

resp = requests.get(self.emails_url, params=params)
need to change to something else.
What I can't see (and I've never actually worked on this code) is that we're not even using any form of authentication when we do those requests.get(...) calls.

alee added a commit to alee/django-allauth that referenced this issue Feb 5, 2020
@alee
fix(github): switch to header authorization
e2b1b60 
- GitHub is deprecating authentication to the API using query params
  like an `access_token` query param. An `Authorization: token TOKEN`
  header should be added to the request instead.
- see also https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/#web-application-flow
- fixes pennersr#2457
@alee alee mentioned this issue Feb 5, 2020
Merged
@alee
Copy link
Contributor Author

alee commented Feb 5, 2020
edited

I did a little more spelunking and it looks like authentication happens in the OAuth2LoginView but we shouldn't have to deal with that since the rest of the oauth2 flow remains unchanged, GitHub is just changing how it handles api requests via the oauth2 access token.

Looking at other providers that also set the Authorization header I think it is as simple as setting

headers={'Authorization': 'token ' + token.token}) in the followup GET requests for the email and profile info. I've opened a PR: #2458

@nokome nokome mentioned this issue Feb 6, 2020
Closed
pennersr pushed a commit that referenced this issue Mar 20, 2020
@alee @pennersr
fix(github): switch to header authorization
83a0f77 
- GitHub is deprecating authentication to the API using query params
  like an `access_token` query param. An `Authorization: token TOKEN`
  header should be added to the request instead.
- see also https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/#web-application-flow
- fixes #2457
@wmorrell wmorrell mentioned this issue May 2, 2020
Closed
cutwater added a commit to cutwater/galaxy that referenced this issue May 14, 2020
@cutwater
Upgrade django-allauth
6b9bad4 
Upgrade django-allauth to git commit 83a0f776.
It includes fix for GitHub described in
pennersr/django-allauth#2457.

Issue: ansible#2224
@cutwater cutwater mentioned this issue May 14, 2020
Merged
andrvb pushed a commit to StepicOrg/django-allauth that referenced this issue Aug 6, 2021
@alee @andrvb
fix(github): switch to header authorization
4762aff 
- GitHub is deprecating authentication to the API using query params
  like an `access_token` query param. An `Authorization: token TOKEN`
  header should be added to the request instead.
- see also https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/#web-application-flow
- fixes pennersr#2457
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(github): switch to header authorization alee/django-allauth
2 participants
@alee @peterbe