I'm trying to configure Grafana to authenticate using Github, but only for members of a certain team. I've configured the documentation, but Github returns an empty list when Grafana tries to fetch the users teams.
logger=oauth.github t=2022-05-22T13:23:16.6+0000 lvl=dbug msg="HTTP GET" url="https://api.github.com/user/teams?per_page=100" status="200 OK" response_body=[]
I've configured Grafana to use the user:email,read:org scopes according to the documentation.
I figured I might have to add some permissions to the GitHub app I created, but I can't find any permission that grants access to the user/teams endpoint requested by Grafana.
What am I missing?
Just figured it out...
I had created a GitHub App, not a GitHub OAuth App.
The devil is in the details
Related
I am creating a GitHub app and, and on its permission page, in the Repositories section, I can give it a number of permissions.
The Metadata Read-Only permission is "Mandatory" and provides access to "Search repositories, list collaborators, and access repository metadata."
However, this seems to only provide access to public repos.
In https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/authorizing-github-apps, it says:
When authorized, the GitHub App will be able to programmatically read the private GitHub resources that you can access (such as private GitHub repositories) where an installation of the GitHub App is also present. The application may use this, for example, so that it can show you an appropriate list of repositories.
However in the permission list of the GitHub app, there is no such permission as "Access to Private Repositories".
In https://docs.github.com/en/rest/overview/permissions-required-for-github-apps, it is mentioned that the Metadata permission:
provides access to a collection of read-only endpoints with metadata for various resources. These endpoints do not leak sensitive private repository information.
So, my understanding is that the Metadata permission is not enough to access a user's list of private repositories.
I then went into https://github.com/settings/apps/NAME_OF_MY_APP/permissions and, in the "Repository permissions" section, found a list of possible permissions, but nothing related to "private repositories".
Currently, my app is working, and providing my code with an accessToken which seems to work, because I can take that token and run:
curl -u MY_USER:MY_TOKEN "https://api.github.com/user/repos?visibility=public"
However, even though MY_USER is known to have private repos, the following yields an empty list:
curl -u MY_USER:MY_TOKEN "https://api.github.com/user/repos?visibility=private"
(The above "curl" was taken from How to Use the GitHub API to List Repositories, Carlos Schults, 7 May 2022, FuseBit)
I have been using the following endpoint to add an Administrator for a Team within a project.
$addTeamAdminUri = "https://dev.azure.com/{org}/{projuid}/_api/_identity/AddTeamAdmins?api-version=5.1-preview.1"
$teamAdminConfiguration = '{"teamId":"<teamguid>","newUsersJson":"[]","existingUsersJson":"[\"<userguid>\"]"}'
Until about a week or so ago, this would work with a Personal Access Token with Custom Scope where only some of the permissions were enabled.
However now, even if ALL the PAT permissions are enabled under Custom defined Access I still get a 401. The only way I can get this working is if I give the PAT Full Access. PAT is not expired. Anyone else experience this? I would prefer not to give Full Access.
Thanks in advance,
Jake.
What is the PAT scopes you set to run the REST API?
Please try the PAT with the scope "Project and Team: Read, write, & manage" to see if it can work.
In addition, I did not find the RESI API you are using from the Microsoft document. Where did you find this API? Please share the link of it. Thanks.
When I try to authorize Azure Devops to get access to my GitHub repositories it wants full access to everything, including:
This application will be able to read and write all public and private repository data. This includes the following:
Code
Issues
Pull requests
Wikis
Settings
Webhooks and services
Deploy keys
Collaboration invites
But that is to broad access to my taste, how can I just give it access to specific repositories without giving it access to everything?
Create a specific user that has the exact permissions you would grant, create an Access Token for that user to strip some of the requested permissions, don't use the OAuth flow.
Again i got stuck to achive the target to trigger deployment once code is pushed to repo, I search the net but i found only old information github is updated and as per there instruction i setup all values but still not working so its look i am missing something I tried to follow the instruction but it seems old http://bytes.babbel.com/en/articles/2014-01-22-github-service-hook-for-aws-ops-works.html
The interface is confusing and i am confused because there is no connection between repo name and opswork service , so what value webhook should send to opswork service ?
Below is what i understood
Setup webhook and it will trigger and send pay load to CI or services as needed once code is pushed to repo (this part is working and send payload to some where) : But this is failing because its Payload URL should i give the opswork service url generated by git hub ?
Opswork services : This is not working ,
App
Given from AWS opswork's app : opswork ID
Stack
Given from AWS opswork's stack: opswork ID
Branch name
Here is the confussion again as per github help i need to give the SHA configured for that app in the AWS OpsWorks Console ? Why should i give SHA not the Master or the link of repo ?
GitHub api url
This is optional what should i give here ?
Aws access key
No issues
Aws secret access key
No issues
GitHub token
Optional : Created token as instructed , Both with token and without token not working.
So If you check opswork is not getting triggered , I thought when i push the changes it may work internally but not.
So its seems web hook and opswork service need to be interact at some level but unable to figure it out :(
I checked git hub help also found nothing for new interface
I checked google and stackoverflow too , but not found any thing
Kindly anyone please answer .
One alternative way would be to set up AWS CodePipeline (CodeDeploy??) to deploy to your AWS Opsworks stack.
CodePipeline is a Continuous Delivery solution from Amazon. Mid 2016 they announced that CodePipeline works with OpsWorks - see their blog announcement: AWS CodePipeline Adds Integration with AWS OpsWorks. There's some walkthroughs there too, depending on what version of OpsWorks your stack is set up for.
(It does feel a bit weird to use a deployment service to deploy to a service that has an existing deployment service... but eh, thought this might help)
The problem is with the process of Github and opswork , if there is any error then both do not report user with error.
I contacted to Github support and luckily they responded me back with error message "The security token included in the request is invalid."
Then i recopied the access key and secret key removed "GitHub api url" as blank and branch name to "master" (so it will always deploy the latest version aka head)
Also make sure you need to set permission again in opswork this is separate to IAM permission ,
Steps -> Goto your stack - Permission and edit -> add user github with permission "IAM Policies Only".
There is no interaction between web hooks and integrations . so you can make use of integration services without web hook :) .
Thanks to Stack overflow , Git-hub both :)
I am trying to make request to the Graph API using a service with no UI. I downloaded the following sample code and followed the instructions: https://blog.kloud.com.au/2015/12/14/implementing-application-with-o365-graph-api-in-app-only-mode/
I successfully get an Access Token, but when using it to make a request to get organization information (required Read Directory Data access), I get 403 Unauthorized.
I have registered my app in Azure AD (where I am a co-administrator).
I have specified Microsoft Graph in the 'permissions to other applications' section, and given Read Directory Data access.
Interestingly there is a note below saying 'You are authorized to select only delegated permissions which have personal scope'. Even though I clearly did. Why? I suspect this is the source of my problem.
Likewise I have checked my demo app against these instructions: https://graph.microsoft.io/en-us/docs/authorization/app_only, but it makes no mention of what role in Azure you need to have.
in this SO post's answer, there is mention of still needing to Consent. I haven't found any documentation about this.
You are authorized to select only delegated permissions which have personal scope
This issue is caused that the app is created by none admin and when they visit the portal then will see this message.
To grant the app-only permission to the application, we need to be the administrator of the tenant. It is different with the co-administrator. To user the Client Credential flow, I suggest that you contact the admin of the tenant to create an application for you. And if you were just for testing purpose, you can create a free tenant and register the application yourself.
Update
We need the assign the Global administrator director role as figure below to make the application works for the client credential flow: