GitHub actively deprecating AUTH_URL_CLIENT_ID and AUTH_URL_TOKEN

[sbine]

GitHub has started sending out deprecation emails to apps using query parameters to authenticate, with instructions to switch over to Basic auth.

Relevant notice here:

GitHub is deprecating authentication to the GitHub API using query parameters, such as using a access_token query parameter for OAuth user authentication or a client_id/client_secret query parameter for OAuth application authentication. All authentication to the GitHub API should be done using HTTP basic authentication.

In this library, both Client::AUTH_URL_CLIENT_ID and Client::AUTH_URL_TOKEN authenticate via query parameters.

Client::AUTH_HTTP_PASSWORD uses Basic authentication, so I've switched my app over to that, but you may want to actively discourage/deprecate use of the query parameter auth methods (and perhaps rename AUTH_HTTP_PASSWORD to AUTH_HTTP_BASIC?)

---

To anyone searching for a solution to this, here's the change I made in my app:

- $client->authenticate($clientId, $clientSecret, Client::AUTH_URL_CLIENT_ID);
+ $client->authenticate($clientId, $clientSecret, Client::AUTH_HTTP_PASSWORD);

And the contents of the GitHub email (for search engines):

Click to expand

[GitHub API] Deprecation notice for authentication via URL query parameters

[...] your application used its client_id and client_secret (with the User-Agent php-github-api (http://github.com/KnpLabs/php-github-api)) as part of a set of query parameters to access an endpoint through the GitHub API [...]
Please use Basic Authentication instead as using OAuth credentials in query parameters has been deprecated.

Depending on your API usage, we'll be sending you this email reminder at most once every 3 days.
Just one URL that was accessed with a User-Agent combination will be listed in the email reminder, not all.
Visit https://developer.github.com/changes/2019-11-05-deprecated-passwords-and-authorizations-api/#authenticating-using-query-parameters for more information.

[tosasystem]

I am unsure that simply switching to AUTH_HTTP_PASSWORD is enough

As I was already using this method and I have been getting the following message for a couple of weeks :

On February 8th, 2020 at 12:45 (UTC) your personal access token (Composer on ip-10-0-0-82 2018-08-13 2125) using Composer/1.6.5 (Linux; 4.14.158-101.185.amzn1.x86_64; PHP 7.3.13) was used as part of a query parameter to access an endpoint through the GitHub API:

https://api.github.com/repositories/.......

Please use the Authorization HTTP header instead, as using the access_token query parameter is deprecated and will be removed July 1st, 2020.

So I guess there is something else to correct. In my code, I only use the following method:
$client->api('repo')->contents()->download(...)

[sbine]

@tosasystem that error looks to be related to Composer—I believe Composer was also previously using query parameters to authenticate, but updating to the latest version should fix that.

[GrahamCampbell]

Yeh, they fixed it in 1.9.3. ;)

[tosasystem]

Thanks a lot. I updated composer but there is something I am missing. What does php-github-api use Composer for while running ? Also, when I deploy my system I have php-github-api in my required package, but I don't see composer generating any dependency on itself. Does it mean (but it's just curiosity) that composer has to be present in the working directory of the application for php-github-api to work ?

[acrobat]

@tosasystem The email you received had nothing to do with this library. It was composer that used a deprecated usage, most likely you triggered it by running a composer update/install. See 460c673 for the fix in composer

[tosasystem]

Thanks a lot. The use of composer by the library did not make any sense to me. Now I understand.

[SmuSmu]

The Doc says Github\Client::AUTH_URL_TOKEN is the default method. So switching to AUTH_HTTP_TOKEN should be fine as default until July 1st, 2020.

Maybe use a new major Version Number to respect this breaking change to avoid confusing users.

[danepowell]

My app uses AUTH_HTTP_TOKEN, but I just got the same email from Github saying my token was used as part of a query parameter. How is that possible? Could there be a bug where php-github-api is still sending tokens as a query parameter even if AUTH_HTTP_TOKEN is selected?

Related, where someone else confirmed that AUTH_HTTP_TOKEN should be safe: #837

Edit: nevermind! It's a bug in another library not related to this package 😄 consolidation/robo#936

[GrahamCampbell]

Related: #849.

[harryqt]

So, Github\Client::AUTH_ACCESS_TOKEN is now recommended method?

[acrobat]

Yes, Github pushes this method as it is easy to use and safer than passing the token through the url. But you can also use client_id/secret or jwt depending on what solution you are building.