Search code examples
authenticationjwtoctokit

Octokit - how to authenticate as an app (JWT)

So I'm building a github app, and I am wanting to be able to authenticate as the app so I can do graphql calls as that user. So, I can authenticate as the app, and get the JWT, but I can't seem to use the JWT. Code looks like:

const { Octokit } = require("@octokit/core");
const { createAppAuth} = require("@octokit/auth-app");
const fs = require('fs')

const auth = createAppAuth( {
  appId: process.env.APP_ID,
  privateKey: fs.readFileSync(__dirname + "/../" + process.env.PRIVATE_KEY_PATH, "utf-8"),
  clientId: process.env.CLIENT_ID,
  clientSecret: process.env.WEBHOOK_SECRET
})

// Send requests as GitHub App
async function main() {
  const {token} = await auth({type: "app"})
  console.log(token);
  const appOctokit = new Octokit({
    baseUrl: 'https://github.<company>.com/api/v3',
    auth: `token ${token}`
  });
  const { slug } = await appOctokit.request("GET /user");
  console.log("authenticated as %s", slug);
}

main().then().catch(err => {
  console.log(err.message)
  console.log(err.stack)
  console.log("oops")
})

I end up getting an HttpError: Bad Credentials.

What am I missing?

Solution

  • The reason for the bad credentials error though is that you are trying to authenticate as the app for the GET /user request. This is a user-specific request, which requires an OAuth token.

    Try sending GET /app instead, it should work.

    If you do want to authenticate as a user, then there are two ways to receive an OAuth token through a GitHub App (GitHub calls these user-to-server token, because the token is authorized by both, the app and the user).

    1. OAuth Web flow
    2. OAuth Device flow

    For the Web Flow, see https://github.com/octokit/auth-app.js/#user-authentication-web-flow. You will need a server that can receive the http redirect from GitHub. You can use the @octokit/app SDK which exports a node middleware for that and other OAuth related usecases , as well as webhooks: https://github.com/octokit/app.js/#middlewares

    For the OAuth Device Flow, see https://github.com/octokit/auth-app.js/#user-authentication-device-flow.

    If you want to authenticate using the OAuth Device Flow without exposing the OAuth Client Secret, you can use the dedicated OAuth Device Flow authentication strategy: https://github.com/octokit/auth-oauth-device.js