如何代表用户使用设备流进行GitHub应用身份验证?

huangapple go评论61阅读模式
英文:

How do I authenticate with a GitHub app on behalf of a user using the device flow?

问题

我所做的事情(文档):

  1. 创建一个应用程序(https://github.com/settings/apps)

    • GitHub应用名称:some-unique-name
    • 主页URL:https://example.com(是的,example.com,因为我只需要从CLI访问GitHub API,有更好的主意吗?)
    • 选中启用设备流
    • 在Webhook部分取消选中活动
    • 存储库权限:管理:读和写(也添加了元数据:只读)
  2. 登录

    $ curl -X POST \
    -H 'Accept: application/json' \
    'https://github.com/login/device/code?client_id=...'
    {"device_code":"...","user_code":"...","verification_uri":"https://github.com/login/device",...}
    
    // 在https://github.com/login/device上授权应用
    
    $ curl -X POST \
    -H 'Accept: application/json' \
    'https://github.com/login/oauth/access_token?client_id=...&device_code=...&grant_type=urn:ietf:params:oauth:grant-type:device_code'
    {"access_token":"...", ...}
    
  3. 发起请求

    $ curl -L -H 'Accept: application/vnd.github+json' \
    -H 'Authorization: Bearer ...' \
    -H 'X-GitHub-Api-Version: 2022-11-28' \
    https://api.github.com/repos/x-yuri/test-pub-repo/keys
    {"message": "Resource not accessible by integration",...}
    
    $ curl -L -H 'Accept: application/vnd.github+json' \
    -H 'Authorization: Bearer ...' \
    -H 'X-GitHub-Api-Version: 2022-11-28' \
    https://api.github.com/repos/x-yuri/test-private-repo/keys
    {"message": "Not Found", ...}
    

我正在使用我的个人账户(GitHub Free)。

英文:

What I do (the docs):

  1. Create an app (https://github.com/settings/apps)

    • GitHub App name: some-unique-name
    • Homepage URL: https://example.com (yeah, example.com, because I only need access to GitHub API from CLI, any better ideas?)
    • check Enable Device Flow
    • uncheck Active in the Webhooks section
    • repository permissions: Administration: read and write (which also adds Metadata: read-only)
  2. Log in

    $ curl -X POST \
    -H 'Accept: application/json' \
    'https://github.com/login/device/code?client_id=...'
    {"device_code":"...","user_code":"...","verification_uri":"https://github.com/login/device",...}
    
    // authorize the app at https://github.com/login/device
    
    $ curl -X POST \
    -H 'Accept: application/json' \
    'https://github.com/login/oauth/access_token?client_id=...&device_code=...&grant_type=urn:ietf:params:oauth:grant-type:device_code'
    {"access_token":"...", ...}
    
  3. Make a request

    $ curl -L -H 'Accept: application/vnd.github+json' \
    -H 'Authorization: Bearer ...' \
    -H 'X-GitHub-Api-Version: 2022-11-28' \
    https://api.github.com/repos/x-yuri/test-pub-repo/keys
    {"message": "Resource not accessible by integration",...}
    
    $ curl -L -H 'Accept: application/vnd.github+json' \
    -H 'Authorization: Bearer ...' \
    -H 'X-GitHub-Api-Version: 2022-11-28' \
    https://api.github.com/repos/x-yuri/test-private-repo/keys
    {"message": "Not Found", ...}
    

I'm using my personal account (GitHub Free).

What am I missing?

答案1

得分: 1

缺失的部分是安装GitHub应用程序。安装应用程序会赋予应用程序在创建时指定的权限。结果的权限是用户(授权应用程序的用户)和应用程序的权限的交集:

同样,用户访问令牌只能访问用户和应用程序都可以访问的资源。例如,如果应用程序被授予对存储库A和B的访问权限,而用户可以访问存储库B和C,那么用户访问令牌只能访问存储库B,而不能访问A或C。

如何操作可以在此处找到a

英文:

The missing part was installing the GitHub app. Installing an app gives the app the permissions specified when creating the app. And the resulting permissions are intersection of the user's (who authorizes the app) and app's permissions:

> Similarly, a user access token can only access resources that both the user and app can access. For example, if an app is granted access to repository A and B, and the user can access repository B and C, the user access token can access repository B but not A or C.

A howto can be found here.

huangapple
  • 本文由 发表于 2023年5月30日 07:36:35
  • 转载请务必保留本文链接:https://go.coder-hub.com/76360833.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定