I use "Fine-grained personal access tokens”.
However, I want to use the access token to access my personal and organization's private repositories.
How can I do it?
A fined-grained token is tied to a "Resource Owner" (Organization or user)
That means it is not meant to allow access to multiple resources.
The best practice is therefore to have separate token, one per owner.
Related
I've set up the access token strategy for a GitHub organization so that access token require admin approval. As the picture below says: "All access requests by organization members to this organization must be approved before the token is usable."
However I do not find anywhere where such a request can be made.
We have a bot account that's supposed to post issues on one of the organization's private repositories. When creating a personal access token (fine grained) for the bot account, no such request is being made (and no access is given) and there is no option to pick a repository from the organization or something along those lines.
So how do you send a request for access token permission to an organization?
So how do you send a request for access token permission to an organization ?
It seems to be done automatically, according to the documentation:
When organization members create a fine-grained personal access token to access resources owned by the organization, if the organization requires approval for fine-grained personal access tokens, then an organization owner must approve the token before it can be used to access any resources that are not public.
For more information, see "Setting a personal access token policy for your organization."
GitHub will notify organization owners with a daily email about all fine-grained personal access tokens that are awaiting approval.
When a token is denied or approved, the user who created the token will receive an email notification.
Check first if an email is received (assuming the email associated to your bot is accessible).
I have two realms, a public webapp and an extranet where only employees can access.
I have tried setting group policies.
When I try to connect with an non-employee user, keycloak still returns the access token.
What did I miss?
EDIT.
I made a mistake, I only have 2 clients.
You have to limit the access granted to your access token to achieve this. There are three ways to do it (that I know of)
Audience: Allows listing the resource providers that should accept an access token.
Roles: Through controlling what roles a client has access to, it is
possible to control what roles an application can access on behalf
of the user.
Scope: In Keycloak, scopes are created through client scopes, and an
application can only have access to a specific list of scopes.
You can look at this example which explains the flow on how to achieve this using role based method. You can refer this as well.
So I wish to use an Emacs plugin called grip-mode, which uses an application called grip under the hood that uses GitHub’s API to render markdown text. But unless an access token (which can have an empty scope) is provided, it hits GitHub’s hourly rate limits. So I want to put an empty-scoped access token for grip-mode. Problem is, my Emacs configuration is stored in a public repository, and so, I want to make sure an access token with an empty scope can’t be used maliciously before I put it in my configuration. So, can an empty-scoped access token be used maliciously? Or is it harmless to use it?
Not a complete answer, but at least one can use the PAT to consume your API limits, either by using the plugin normally or using the token maliciously.
From GitHub docs:
Authenticated requests are associated with the authenticated user, regardless of whether Basic Authentication or an OAuth token was used.
For example they can scrape PATs exposed on GitHub and use the tokens to perform high-rate API calls.
Or if one of your user use the token frequently, all other users will not be able to use the plugin.
Also, GitHub does not recommend using your PAT in this case
Let's say I have a gitlab access token (generated and given to an application by a user). I can find if that token can be used to read from a repository by actually trying to read some data and seeing if that operation succeeds.
How do I find whether that token has write permissions (making commits) for a specific repository?
Beside trying a write operation, I don't know of an API which would be able to get the scope of a token.
As this issue illustrates, the scope is what you are looking for: "Limiting scopes of a personal access token"
Check if your token is listed when getting impersonation tokens: that API returns associated scopes.
I am working to build an application which would be able to create custom audiences for many of our clients for facebook ads. I came to know that the most suitable access token for this purpose is system user token (correct me if I am wrong). To get regular user access tokens, we can make a user go through the traditional oAuth flow, I am looking for something similar to get system user access token. How can I get it for any of my clients? Thanks
You must create your system users in the Business Manager of your company:
https://business.facebook.com/settings/system-users?business_id=<YOUR_BUSINESS_ID>
Once you create a system user, you can generate a token for him associated with a given app.
Meanwhile, on your business settings (as stated in the docs) you can request access to an ad_account.
Request Access to an Ad Account: If you request access to an ad
account in Business Manager, the admin of that Business Manager can
grant you permission to work on it.
Once your client gives your Business permission to work with one or more of their ad_accounts, those ad_accounts will appear in your Business Manager. (menu on the left).
At that point, when checking the profile of your system users, you can click on assign assets to give the system user access to pages and ad_accounts.
The token you generated for the pair [system_user,app_id] does not need to be reissued to reflect the addition of assets to which the system_user has access.