octokit/authentication-strategies.js octokit/authentication-strategies.js

  • Stars
    star
    320
  • Rank 126,198 (Top 3 %)
  • Language
  • License
    MIT License
  • Created about 5 years ago
  • Updated 4 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
octokit/authentication-strategies.js
github

octokit

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

GitHub API authentication strategies for Browsers, Node.js, and Deno

authentication-strategies.js

GitHub API authentication strategies for Browsers, Node.js, and Deno

Official Authentication Strategies

Personal Access Token authentication

Module: @octokit/auth-token

The simplest authentication strategy requires a user to create a personal access token at https://github.com/settings/tokens/new and pass it as the single argument to the createTokenAuth() function. You can pass in any other token such as an installation access token or a OAuth user access token, but there are dedicated strategies for the respective use cases which might be a better fit.

@octokit/auth-token is the default authentication strategy built into @octokit/core

const auth = createTokenAuth("1234567890abcdef1234567890abcdef12345678");
const { token } = await auth();

GitHub App or installation authentication

Module: @octokit/auth-app SDK: @octokit/app

A GitHub app has four different means of authentication.

  1. It can authenticate as itself using a JWT (JSON Web Token) derived from the app ID and a private key. JWT authentication is required to iterate through installations and repositories, use the marketplace APIs, or to create installation access tokens.
  2. It can authenticate as an installation using an installation access tokens. GitHub apps can be actors like GitHub users. They can create issues, manage teams, and much more. Installing a GitHub app grants access to a GitHub user account or organization, and either all or selected repositories. The installation inherits the app's permissions at this point, they will not be altered if the app's permissions change until the user/organization account owner accepts the new permissions. Installation access tokens expire after 1h, and they can be created with a subset of the installations permissions and accessible repositories.
  3. It can authenticate as OAuth App using Basic Authentication derived from the client ID and a client secret. Basic authentication is required to create, reset, refresh, scope, and delete OAuth user authentication tokens. See also OAuth App authentication
  4. It can authenticate as user using an OAuth user-to-server access token. A user-to-server token authenticates as both a user and the app/installation. It can be created using the OAuth web flow or OAuth Device flow. See also OAuth user authentication

OAuth app authentication

Module: @octokit/auth-oauth-app SDK: @octokit/oauth-app

An OAuth app has two different means of authentication.

  1. It can authenticate as OAuth App using Basic Authentication derived from the client ID and a client secret. Basic authentication is required to create, reset, refresh, scope, and delete OAuth user authentication tokens.
  2. It can authenticate as user using an OAuth user-to-server access token. A user-to-server token authenticates as both a user and the app/installation. It can be created using the OAuth web flow or OAuth Device flow. See also OAuth user authentication

There are differences between OAuth Apps and the OAuth features from GitHub Apps:

  • OAuth apps support scopes. Different scopes can be set each time a user-access token is created. They cannot be limited globally for the OAuth app.
  • GitHub apps have permissions. The are set when the app is registered. The app cannot access any repository until it is installed by a user. The installation inherits the app's permissions at the time of the installation. Permission changes need to be approved by the user.
  • OAuth apps create OAuth user access tokens which have work the same on all repositories
  • GitHub apps create OAuth user-to-server access tokens which inher both the app's user permissions as well as each installation's repository and user/organization permissions.
  • GitHub apps can enable expiration for its user-to-server access tokens. OAuth apps do not have such a feature.

OAuth user authentication

Module: @octokit/auth-oauth-user

OAuth user authentication be created by both OAuth Apps and GitHub Apps. OAuth Apps create OAuth user access tokens which are granted a set of scopes at the time of creation. GitHub apps create user-to-server tokens which authenticate as both a user and the app/installation. It can be created using the OAuth web flow or OAuth Device flow

There are differences between OAuth Apps and the OAuth features from GitHub Apps, see the list in OAuth app authentication.

Important: @octokit/auth-oauth-user requires your app's client_secret, which must not be exposed to users. If you are looking for an OAuth user authentication strategy that can be used on a client (browser, IoT, CLI), see OAUth user client authentication or Device authentication

OAuth user client authentication

🚧 TBD, see https://github.com/octokit/auth-oauth-user-client.js#readme

Device authentication

Module: @octokit/auth-oauth-device

Device flow authentication is a way to create OAuth user authentication. Unlike the web flow, there is no http redirect required in order to retrieve an OAuth code for the user access token exchange. It also does not require the client secret, which makes it a great solution for IoT devices or CLI applications.

Unfortunately the device flow cannot be used for browsers, as the APIs to request user/device codes and the user access token exchange are not enabled for cross-domain requests (CORS).

There are differences between OAuth Apps and the OAuth features from GitHub Apps, see the list in OAuth app authentication.

GitHub Action authentication

Module: @octokit/auth-action SDK: @octokit/action

GitHub actions provide a secrets.GITHUB_TOKEN variable which can be used to authenticate scripts run as part of a GitHub Action workflow.

Technically, secrets.GITHUB_TOKEN is an installation access token that has all repository permissions but only access to the current repositories. It expires after 6h or when the current workflow step is completed. It cannot be renewed as the app ID and private key credentials are not exposed.

Other Strategies

unauthenticated

Module: @octokit/auth-unauthenticated

This authentication strategy is useful to provide a helpful error message when no valid authentication can be provided. An example is an event handler for the installation webhook event when the action is delete or suspend. In this case the authorization for the installation has been revoked and no requests can be sent anymore. Instead of failing with a cryptic error message, @octokit/auth-unauthenticated can be used to explain that the access for the installation has been revoked.

callback

Module: @octokit/auth-callback

This authentication strategy accepts a single { callback } strategy option which returns either a falsy value or the string for a valid token. It's great for single-page web applications where a user can sign in/sign out without the need to re-instantiate a new octokit instance each time.

.netrc

Module: octokit-auth-netrc

Similar to token authentication, but reads the token from your ~/.netrc file

Example

// expects a personal access token to be set as `login` in the `~/.netrc` file for `api.github.com`
const { createNetrcAuth } = require("octokit-netrc-auth");
const auth = createNetrcAuth();
const { token } = await auth();

See octokit-auth-netrc for more details.

How authentication strategies work

All authentication strategies implement the same interface

const auth = authenticationStrategy(strategyOptions);
const authentication = await auth(authOptions);
auth.hook(request, route, parameters);

It can be used with an Octokit constructor by setting the authStrategy and auth constructor options. auth.hook is automatically applied to all requests sent by the octokit instance.

const octokit = new Octokit({
  authStrategy: authenticationStrategy,
  auth: strategyOptions,
});

const authentication = await octokit.auth(authOptions);

This interface an auth strategy to hook into a request lifecycle, implement request retries if necessary or transparent on-demand authentication creation.

For example, when implementing a GitHub App which acts on webhook events, a pre-authenticated octokit instance should be provided to the event handler. But an installation access token should not be created until a request is sent in that event handler.

In other cases, tokens might be invalid due to out-of-sync time between GitHub's API servers and yours. The time difference can be detected and corrected with an additional request.

authenticationStrategy(strategyOptions)

The authentication strategy is a synchronous method which returns the auth interface. strategyOptions can be optional, but must always be an object.

auth interface

The auth interface is an asynchronous function which accepts authOptions and resolves with an authentication object. authOptions can be optional, but must always be an object. The auth interface also provides an auth.hook interface which can be used to hook into the request lifecycle of @octokit/request (see options.request.hook) or octokit.request.

The authOptions.factory pattern

In some cases, auth(authOptions) needs to resolve with another auth interface, or octokit.auth(authOptions) with another octokit instance. For example, when using the GitHub App authentication strategy (@octokit/auth-app), the auth interface has an internal state that caches the installation access tokens it created for reusability

const appOctokit = new Octokit({
  authStrategy: createAppAuth
  auth: { appId, privateKey }
})

const installationAuthentication = appOctokit.auth({
  type: "installation",
  installationId
})

This internal state would get lost if a separate octokit instance would be created for an installation

const appOctokit = new Octokit({
  authStrategy: createAppAuth,
  auth: { appId, privateKey },
});

const installationOctokit = new Octokit({
  authStrategy: createAppAuth,
  auth: { appId, privateKey, installationId },
});

Instead, installationOctokit can be created from appOctokit.auth, and both can share the cached installation access tokens

const appOctokit = new Octokit({
  authStrategy: createAppAuth,
  auth: { appId, privateKey },
});

const installationOctokit = appOctokit.auth({
  type: "installation",
  installationId,
  factory: ({ octokitOptions, ...auth }) =>
    new Octokit({ ...octokitOptions, auth }),
});

Create your own Octokit authentication strategy module

Use create-octokit-project, follow instructions, and send a pull request to add your own strategy to this README

npm init octokit-project

Screenshot of a terminall running npm init octokit-project

License

MIT

More Repositories

1

octokit.js

The all-batteries-included GitHub SDK for Browsers, Node.js, and Deno.
TypeScript
6,695
star
2

octokit.rb

Ruby toolkit for the GitHub API
Ruby
3,818
star
3

octokit.net

A GitHub API client library for .NET
C#
2,591
star
4

octokit.objc

GitHub API client for Objective-C
Objective-C
1,841
star
5

core.js

Extendable client for GitHub's REST & GraphQL APIs
TypeScript
1,145
star
6

rest.js

GitHub REST API client for JavaScript
JavaScript
503
star
7

graphql.js

GitHub GraphQL API client for browsers and Node
TypeScript
446
star
8

request-action

A GitHub Action to send arbitrary requests to GitHub's REST API
JavaScript
350
star
9

webhooks.js

GitHub webhook events toolset for Node.js
TypeScript
296
star
10

go-octokit

Simple Go wrapper for the GitHub API
Go
257
star
11

request.js

Send parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node
TypeScript
223
star
12

webhooks

machine-readable, always up-to-date GitHub Webhooks specifications
TypeScript
202
star
13

action.js

GitHub API client for GitHub Actions
TypeScript
173
star
14

graphql-schema

GitHub’s GraphQL Schema with validation. Automatically updated.
JavaScript
170
star
15

app.js

GitHub Apps toolset for Node.js
TypeScript
149
star
16

auth-app.js

GitHub App authentication for JavaScript
TypeScript
142
star
17

octokit.graphql.net

A GitHub GraphQL client library for .NET
C#
140
star
18

graphql-action

A GitHub Action to send queries to GitHub's GraphQL API
JavaScript
114
star
19

types.ts

Shared TypeScript definitions for Octokit projects
TypeScript
113
star
20

plugin-throttling.js

Octokit plugin for GitHub’s recommended request throttling
TypeScript
100
star
21

plugin-rest-endpoint-methods.js

Octokit plugin adding one method for all of api.github.com REST API endpoints
TypeScript
100
star
22

fixtures

Fixtures for all the octokittens
JavaScript
98
star
23

auth-token.js

GitHub API token authentication for browsers and Node.js
TypeScript
94
star
24

routes

machine-readable, always up-to-date GitHub REST API route specifications
JavaScript
84
star
25

oauth-app.js

GitHub OAuth toolset for Node.js
TypeScript
74
star
26

auth-oauth-app.js

GitHub OAuth App authentication for JavaScript
TypeScript
64
star
27

endpoint.js

Turns REST API endpoints into generic request options
TypeScript
54
star
28

go-sdk

A generated Go SDK from GitHub's OpenAPI specification.
Go
51
star
29

webhooks.net

GitHub webhook events toolset for .NET
C#
46
star
30

plugin-paginate-rest.js

Octokit plugin to paginate REST API endpoint responses
TypeScript
45
star
31

dotnet-sdk

C#
43
star
32

octopoller.rb

A micro gem for polling and retrying. Perfect for making repeating requests.
Ruby
43
star
33

auth-action.js

GitHub API token authentication for GitHub Actions
TypeScript
38
star
34

openapi

GitHub's official OpenAPI spec with Octokit extensions
JavaScript
38
star
35

openapi-types.ts

Generated TypeScript definitions based on GitHub's OpenAPI spec
JavaScript
37
star
36

plugin-paginate-graphql.js

Octokit plugin to paginate GraphQL Query responses
TypeScript
31
star
37

plugin-retry.js

Octokit plugin for GitHub’s recommended request retries
TypeScript
29
star
38

fixtures-server

Fixtures server for browser & language agnositic octokit testing
JavaScript
26
star
39

webhooks-methods.js

Methods to handle GitHub Webhook requests
TypeScript
20
star
40

plugin-enterprise-server.js

Octokit plugin for GitHub Enterprise REST APIs
TypeScript
19
star
41

octokit-next.js

JavaScript
18
star
42

oauth-authorization-url.js

Universal library to retrieve GitHub’s identity URL for the OAuth web flow
TypeScript
16
star
43

auth-oauth-user-client.js

OAuth user authentication without exposing client secret
15
star
44

create-octokit-project.js

"npm init" script to create a new Octokit JS module
JavaScript
15
star
45

auth-oauth-user.js

Octokit authentication strategy for OAuth clients
TypeScript
15
star
46

plugin-create-or-update-text-file.js

Convenience method to create/edit/delete a text file based on its current content
TypeScript
13
star
47

app-permissions

machine-readable, always up-to-date GitHub App permissions
JavaScript
10
star
48

auth-oauth-device.js

GitHub OAuth Device authentication strategy for JavaScript
TypeScript
10
star
49

request-error.js

Error class for Octokit request errors
TypeScript
9
star
50

handbook

Handbook for Octokit maintainers and GitHub integrators
9
star
51

auth-basic.js

GitHub API Basic authentication for browsers and Node.js
TypeScript
8
star
52

.github

7
star
53

discussions

discussions and planning for Octokit clients
7
star
54

plugin-request-log.js

Log all requests and request errors
TypeScript
7
star
55

source-generator

Go
6
star
56

plugin-enterprise-cloud.js

Octokit plugin for GitHub Enterprise Cloud REST APIs
TypeScript
6
star
57

tsconfig

TypeScript configuration for Octokit packages
JavaScript
5
star
58

oauth-methods.js

Request methods to create and refresh user access tokens for OAuth and GitHub Apps
TypeScript
4
star
59

auth-callback.js

GitHub API authentication using a callback method
TypeScript
4
star
60

auth-unauthenticated.js

strategy for explicitly unauthenticated Octokit instances
TypeScript
4
star
61

tf-acc-test-empty-f89p1

Terraform acceptance test f89p1
2
star
62

plugin-enterprise-compatibility.js

Octokit plugin for improving GHE compatibility
TypeScript
1
star
63

openapi-webhooks

JavaScript
1
star