Fixed Deprecating API authentication through query parameters

[kick]

Affected version

2.2.5 and earlier

Deprecating API authentication through query parameters

Get started with one of our guides, or jump straight into the API documentation.

developer.github.com

As outlined in thread title, tokens have to be passed as header instead of query params to Github now.

 

[Chris D]

This was fixed in XF 2.1.8:

Fixed - [GitHub API] Deprecation notice for authentication via URL query parameters

Hi there, just received a mail from GitHub: On February 5th, 2020 at 14:08 (UTC) your application (APP NAME) used an access token (with the User-Agent PHPoAuthLib) as part of a query parameter to access an endpoint through the GitHub API: https://api.github.com/user Please use the...

xenforo.com

 

[Chris D]

For clarity, the fix is applied in this file:

src/XF/ConnectedAccount/Service/GitHub.php

This is what we use for GitHub requests which is an extended version of the original library class. The fix for the other bug report is now applied in the same file.

 

[kick]

But this is not entirely correct. You are using AUTHORIZATION_METHOD_HEADER_BEARER.

elseif (static::AUTHORIZATION_METHOD_HEADER_BEARER === $this->getAuthorizationMethod()) {
    $extraHeaders = array_merge(array('Authorization' => 'Bearer ' . $token->getAccessToken()), $extraHeaders);
}

Resources in the REST API - GitHub Docs

Learn how to navigate the resources provided by the GitHub API.

docs.github.com

Authorizing OAuth Apps - GitHub Docs

You can enable other users to authorize your OAuth App.

docs.github.com

if you will see this links, it will be clearly visible
OAuth2 token (sent in a header)
$ curl -H "Authorization: token OAUTH-TOKEN" https://api.github.com
and
3. Use the access token to access the API
The access token allows you to make requests to the API on a behalf of a user.
Authorization: token OAUTH-TOKEN
GET https://api.github.com/user
For example, in curl you can set the Authorization header like this:
curl -H "Authorization: token OAUTH-TOKEN" https://api.github.com/user
But in the header you pass bearer
What would be correct to transmit like
$extraHeaders = array_merge(array('Authorization' => 'token ' . $token->getAccessToken()), $extraHeaders);
But bearer is passed

 

[Chris D]

Is this expressly forbidden either in their API or in the OAuth spec? Or is the current approach failing? My tests seem to indicate that things are working fine as-is.

We'll investigate further.

 

[kick]

It will work and an explanation of why the same parameters works is given on the following link, due to the fact that in some places this header is required to be passed.

Why the authentication scheme of GitHub Oauth2 Authorization header is 'token' not 'Bearer'?

According to the RFC6750, the HTTP Authentication Scheme should be 'Bearer'. But this GitHub doc uses 'token' as the scheme. I've tried both and it seems that both of those two are working. My ques...

stackoverflow.com

As for GitHub, they support the token header "Bearer" because they allow that header to be used for other kinds of tokens beyond OAuth tokens, specifically personal access tokens and GitHub App tokens.

But at any moment this may stop working and for authorization they recommend using a token

 

[Chris D]

This is fixed in XF 2.3 by virtue of the upstream library being updated.