Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

github3.exceptions.AuthenticationFailed: 401 'Expiration time' claim ('exp') must be a numeric value representing the future time at which the assertion expires #1050

Closed
ashunikam4 opened this issue Oct 27, 2021 · 2 comments
Closed

github3.exceptions.AuthenticationFailed: 401 'Expiration time' claim ('exp') must be a numeric value representing the future time at which the assertion expires #1050

ashunikam4 opened this issue Oct 27, 2021 · 2 comments

Comments

@ashunikam4
Copy link

Hello Team,
Firstly, Thanks for your effort on github3.py library. It works great for us.

Recently, we have come across an issue when authenticating app as an installation using github3.github.GitHub.login_as_app_installation. We get the following error:

github3.exceptions.AuthenticationFailed: 401 'Expiration time' claim ('exp') must be a numeric value representing the future time at which the assertion expires

It seems this is a popular issue when authenticating GitHub app using JWT tokens because of clock sync ( ref#1, ref#2), and the fix seems to be having a large expiry time (maximum 10 mins allowed ).

So, if you allow an argument like expire_in for github3.github.GitHub.login_as_app_installation, this should be resolved. Please let know if I am missing something, or there is a better solution than increasing the expiry time. Thanks.
@sigmavirus24
Copy link
Owner

If you'd like to send a pull request to add that as a optional keyword argument to

github3.py/src/github3/github.py

Lines 1430 to 1478 in 99a65b2

def login_as_app_installation(
self, private_key_pem, app_id, installation_id
):
"""Login using your GitHub App's installation credentials.
.. versionadded:: 1.2.0
.. seealso::
`Authenticating as an Installation`_
GitHub's documentation of authenticating as an installation.
`Create a new installation token`_
API Documentation
.. note::
This method makes an API call to retrieve the token.
.. warning::
This method expires after 1 hour.
:param bytes private_key_pem:
The bytes of the private key for this GitHub Application.
:param int app_id:
The integer identifier for this GitHub Application.
:param int installation_id:
The integer identifier of your App's installation.
.. _Authenticating as an Installation:
https://developer.github.com/apps/building-github-apps/authenticating-with-github-apps/#authenticating-as-an-installation
.. _Create a new installation token:
https://developer.github.com/v3/apps/#create-a-new-installation-token
"""
# NOTE(sigmavirus24): This JWT token does not need to last very long.
# Instead of allowing it to stick around for 10 minutes, let's limit
# it to 30 seconds.
jwt_token = apps.create_token(private_key_pem, app_id, expire_in=30)
bearer_auth = session.AppBearerTokenAuth(jwt_token, 30)
url = self._build_url(
"app", "installations", str(installation_id), "access_tokens"
)
with self.session.no_auth():
response = self.session.post(
url, auth=bearer_auth, headers=apps.APP_PREVIEW_HEADERS
)
json = self._json(response, 201)
self.session.app_installation_token_auth(json)
I'd happily merge that. I'd like it to still default to 30s to keep the existing behaviour with documentation linking to what you've found and an explanation that one can increase that.

@ashunikam4
Copy link
Author

Sure. Thanks @sigmavirus24.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sigmavirus24 @ashunikam4