The token wizard will break in November
shackra opened this issue · 11 comments
Got this on my email yesterday:
Hi @shackra,
On April 27th, 2020 at 04:31 (UTC) you or an application you used recently accessed the deprecated Authorizations endpoint on the GitHub API with the useragent URL/Emacs Emacs/28.0.50 (X11; x86_64-pc-linux-gnu).
We will remove the Authorizations API endpoint on November 13, 2020. If you accessed the API via password authentication, then we recommend you use the web flow to authenticate. Please check that your app uses the web flow for authentication https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/#web-application-flow
You can learn more about these changes by visiting our developer blog https://developer.github.com/changes/2020-02-14-deprecating-oauth-auth-endpoint/
Thanks,
The GitHub Team
Shouldn't this be addressed?
I've been aware of these plans for a while but didn't act yet because I was still hoping the decision would be reversed. It's news to me that they now send out these warning emails and I take that as a sign that the decision is final.
Since ghub isn't a web application the only choice available is to simply drop this feature. In the future Github users will have to manually create and store the token, just like Gitlab users, which the wizard could never support.
The wizard already stopped working a while ago for Github users who have two-factor authentication enabled and I haven't really tried to fix that regression because of Github's deprecation plans. I didn't want to invest time fixing a variant of password authentication given that password authentication was going to be removed as a whole anyway. But I wasn't certain that would really happen, so I was holding out.
Given the near certain upcoming removal of the feature and the present breakage for two-factor users I am more inclined to nuke the whole feature ahead of time and get it over with.
Would this mean even generated access token will stop working? I can see only mentions for the password auth. If you create token directly this should still work.
Generated tokens continue to work. It's just not possible to implement a wizard to obtain a token because that required the use of a password and passwords won't be supported anymore going forward. Once you have a token (whether generated manually using the web interface or the old wizard/api) you can use that for token-based authentication, which is not going away.
Could you launch a browser that requests the token then redirects back to a small web server running in emacs on localhost to obtain the token?
I think generating token manually is fine, github integration is awesome in that state already. It would be too much burden to maintain.
Is there a way to just pass the token to ghub to store? I find it very confusing to try storing it in the backend directly.
I don't plan to implement such a way. Doing it manually is really quite simple as explained in https://magit.vc/manual/ghub/Storing-a-Token.html.
The docs explain how to add an entry in ~/.authinfo, but I found it nearly impossible to figure out how to add an entry to the GNOME keychain.
I don't know how to do that either. Sorry.
What is the correct way to check if there's a token available for an extension built on ghub?
I know it's possible to just pass :auth and we'll get an error through :errorcallback, but I'd like a way to provide a good user experience and make sure that the user knows what needs to be done.
ghub--token (which see) will inform the user about a missing token.