Github enterprise -- app.get_access_token fails on Requester.py __makeAbsoluteUrl assertions.

[ruudharing]

Hi,
Running with PyGithub v1.59.1 = "latest".
Trying to follow the example in https://pygithub.readthedocs.io/en/latest/examples/Authentication.html#app-user-authentication
but for my company's internal GitHub Enterprise installation.

my_base_url="https://" + my_hostname + "/api/v3"
gh = Github( base_url=my_base_url )
app = gh.get_oauth_application( client_info[ 'client_id' ], client_info[ 'client_secret'] )
token = app.get_access_token( code_string )

The last line fails with:

Traceback (most recent call last):
    ... my code path ...  
    token = app.get_access_token( code_string )
  File "****/.local/lib/python3.8/site-packages/github/ApplicationOAuth.py", line 101, in get_access_token
    *self._requester.requestJsonAndCheck(
  File "****/.local/lib/python3.8/site-packages/github/Requester.py", line 443, in requestJsonAndCheck
    *self.requestJson(
  File "****/.local/lib/python3.8/site-packages/github/Requester.py", line 580, in requestJson
    return self.__requestEncode(cnx, verb, url, parameters, headers, input, encode)
  File "****/.local/lib/python3.8/site-packages/github/Requester.py", line 676, in __requestEncode
    url = self.__makeAbsoluteUrl(url)
  File "****/.local/lib/python3.8/site-packages/github/Requester.py", line 784, in __makeAbsoluteUrl
    assert o.path.startswith((self.__prefix, "/api/"))
AssertionError

Instrumenting my local copy of Requester.py, function __makeAbsoluteUrl(), with some print statements, just before the fail point, reveals the following:

__makeAbsoluteUrl -- url=https://github.com/login/oauth/access_token
__makeAbsoluteUrl -- o.hostname=github.com
__makeAbsoluteUrl -- o.path=/login/oauth/access_token

This shows two separate problems:

1. url and therefore o.hostname do not reflect the desired my_hostname
2. o.path is correct for the get_access_token() operation, but does not start with "/api/" and thus fails the assertion in line 784.

Tracing further back, I see that problem 1 is caused by the hard-coded url in ApplicationOAuth.py line 100 ff,
which does not allow flexibility in hostname:

        headers, data = self._checkError(
            *self._requester.requestJsonAndCheck(
                "POST",
                "https://github.com/login/oauth/access_token",
                headers={"Accept": "application/json"},
                input=post_parameters,
            )
        )

I notice that the same problems occur with ApplicationOAuth.py function refresh_access_token().

For now, I bypassed these functions. I can get an access+refresh token by using the requests library to post to the correct url,
and then directly building auth = Auth.AppUserAuth( .... ) according to the template in ApplicationOAuth.py line 123 ff.

[EnricoMi]

I think this duplicates #2485.

[ruudharing]

Thanks for your quick response!

Yes, problem # 1 above duplicates issue #2485 .

However, the 2nd problem then remains: the various /login/oauth/... paths do not start with "/api/" and fail the assertion when passed to requestJsonAndCheck() ... -> __makeAbsoluteUrl().

[EnricoMi]

Can you confirm that f"https://{my_hostname}/login/oauth/access_token" works in your enterprise installation?

[ruudharing]

Yes, it does.

My current work-around code for obtaining a new token (given a code_string obtained from the web authorization flow):

        else :                                                                #  Step 3. We have a code_string. Exchange it for (access_token, refresh_token)
            print( f"{function_name}() -- OK, received authorization code... converting to access_token..." )

            access_t_url = f"https://{my_hostname}/login/oauth/access_token"

            payload = { 'client_id'     : client_info[ 'client_id' ],
                        'client_secret' : client_info[ 'client_secret' ],
                        'code'          : code_string
                      }
            r = requests.post( access_t_url, params=payload )

            if debug : print( f"{function_name}() -- posting to: {r.url}" )
            if debug : print( f"{function_name}() -- response= {r.text}" )    # Step 4: parse the "query parameter string" of the response, and convert it to a "token_dict"
            token_dict = dict( urllib.parse.parse_qsl(r.text) )
            if debug: print( f"{function_name}() -- token_dict={token_dict}" )

and similarly for refreshing:

    if next_step == 'refresh_token' :                 # If we found a previous, and still valid, refresh_token from tokens_file, use it to get a new token set
        if debug or verbose : print( f"{function_name}() -- Using existing GitHub refresh_token to get new access_token..." )
                                                                              # procedure: see https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-access-tokens#refreshing-a-user-access-token-with-a-refresh-token
        access_t_url = f"https://{my_hostname}/login/oauth/access_token"      # Step 1:  POST request

        payload = { 'client_id'     : client_info[ 'client_id' ],
                    'client_secret' : client_info[ 'client_secret' ],
                    'grant_type'    : 'refresh_token',
                    'refresh_token' : refresh_token
                  }
        r = requests.post( access_t_url, params=payload )

        if debug : print( f"{function_name}() -- posting to: {r.url}" )
        if debug : print( f"{function_name}() -- response= {r.text}" )        # Step 2: parse response
        token_dict = dict( urllib.parse.parse_qsl(r.text) )                   # parse the "query parameter string" of the response, and convert it to a "token_dict"
        if debug: print( f"{function_name}() -- token_dict={token_dict}" )

Does this help?

[EnricoMi]

Can you try if the following fix works for you?

pip install git+https://github.com/enricomi/pygithub.git@oauth-enterprise

[ruudharing]

Enrico -- took a bit of hacking.
Unfortunately the above pip install command did not work for our Linux installations, due to a missing git auxiliary executable git-remote-https. An attempt using git+git also failed.

So I hacked around it: I cloned your repo, found the commit, and copied your updated files into my local 1.59.1 install.
Worked right away. Both the new_token and refresh_token flows now work as advertised in https://pygithub.readthedocs.io/en/latest/examples/Authentication.html#app-user-authentication, as long as all the Github invocations are of the form

g = Github( base_url=f"https://{my_hostname}/api/v3" )

Thanks for fixing this!