web browser authentication in GitHub Actions for Oauth token - r

I'm trying to use GitHub Actions to query the GitHub API using an OAuth 2.0 token through an R script. It works fine on my local machine when I run the code, where a browser window pops up indicating "Waiting for authentication in browser..." that I can manually close. When run through GitHub Actions, the workflow hangs at the "Waiting for authentication in browser..." since it's on a remote machine.
I'm using a custom R script with the httr library. The API credentials are stored as secrets for the repository I'm trying to query.
library(httr)
gh_key <- Sys.getenv('GH_KEY')
gh_secret <- Sys.getenv('GH_SECRET')
# setup app credentials
myapp <- oauth_app(appname = "data-in-r",
key = gh_key,
secret = gh_secret)
# get oauth credentials
github_token <- oauth2.0_token(oauth_endpoints('github'), app = myapp, cache = F)
# use api
gtoken <- config(token = github_token)
# get list of remote files in data folder
req <- GET("https://api.github.com/repos/tbep-tech/piney-point/contents/data", gtoken)
When the script is run through GitHub Actions, it looks like as below, where I had to manually cancel the workflow since it was hung at the browser step.
Is there a workaround for skipping the browser step so it will run on GitHub Actions? The offending repo is here.

You cannot use the 3-legged variant of OAuth2.0 (aka "web-application flow") in a headless environment like Github Actions.
If you want to use OAuth (I list other possibilities below), then you need to utilize what gitlab calls the "device-flow". See github documentation.
In this flow, there is no redirect to a given URL, so the app does not need a browser window. Instead it displays a code to the user. The user must the enter that code on a fixed URL (https://github.com/login/device). As soon as this is done, the app can request the authentication token. (So the app must keep polling until the user has entered the code).
Unfortunately, httr does not have nice wrapper functions for this variant, so you have to do the calls yourself. It can work like this:
library(httr)
app_id <- "*redacted*"
r <- POST("https://github.com/login/device/code",
body = list(
client_id = app_id,
scope = "user repo delete_repo" #Scope must be given! https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps
))
device_code <- content(r)$device_code
print(paste0("Enter the code ", content(r)$user_code, " at ", content(r)$verification_uri))
## NOTE: In reality this request has to run in a loop, until the user has entered the code und the request succeeds.
## For the demo we can execute it manually after the code has been entered.
r <- POST("https://github.com/login/oauth/access_token",
body = list(
client_id = app_id,
device_code = device_code,
grant_type = "urn:ietf:params:oauth:grant-type:device_code"
))
token <- content(r)$access_token
## create and delete a private testrepository to check if everything worked
r <-
POST("https://api.github.com/user/repos",
add_headers(Authorization = paste("token", token)),
body = list(name = "testrepo",
private = TRUE,
auto_init = FALSE),
encode = "json")
r <- DELETE(paste0("https://api.github.com/repos/", content(r)$full_name),
add_headers(Authorization = paste("token", token)))
I have seen that there is httr2, and that it offers convenience functions for this flow. I have however never used it and do not know if it already works reliable. See here.
Since this flow still requires user interaction, you may be better of with one of the following variants (I do not know if they fit your use case.):
Basic Auth:
You can define what github calls a "personal access token" beforehand. With this token you can authenticate without further interaction. Creation is described here. In R you can use it most easily together with httr::authenticate.
GITHUB_TOKEN:
Github automatically creates special secrets specifically Github Actions. These can be used to execute actions in the containing repository. For more info see here.

Related

Is the rfacebookstat package secure?

Full disclaimer - I'm a bit of an API noob and I don't have much experience with OAuth or token authorization in general.
I see that the rfacebookstat package is on CRAN but I'm in particular concerned about the following function:
function(
app_id = NULL,
scopes = c("ads_read", "business_management", "pages_manage_ads", "ads_management", "public_profile") ){
if(is.null(app_id)) stop("Enter your app id.")
scopes <- paste(scopes, collapse = ",")
utils::browseURL(paste0("https://www.facebook.com/dialog/oauth?client_id=",app_id ,"&display=popup&redirect_uri=https://selesnow.github.io/rfacebookstat/getToken/get_token.html&response_type=token&scope=",scopes))
token <- readline(prompt = "Enter your token: ")
options(rfacebookstat.access_token = token)
return(token)
}
I see there's a redirect to the package creator's personal github site and that makes me a bit nervous. From the .R file I see that this is needed in order to convert the short time token into a long time token - does this represent a security concern? Anyone else have experience with this package? Want to use but I also don't want to leak any campaign data externally.
Alternatively, if I were to write my own wrapper of the above function, could I use localhost as the redirect URI? I just need to query the API to pull historical campaign data, the script I'm writing isn't for any webapp.

Log in a webpage which uses github OAuth

I want to log in https://adventofcode.com/2021 programatically using httr.
I have only a very superficial understanding of the OAuth "dance", so to understand the principles I did the following:
Create an OAuth App on GitHub
Used the following code to authenticate (N.B. I know I could simply use oauth2.0_token but I felt that this workflow helped me to better understand the different messages, which are exchanged).
library(httr)
client_id <- "<my client id>"
base_url <- "https://github.com"
path <- "login/oauth/authorize"
client_secret <- "<my secret>"
url <- modify_url(base_url, path = path,
query = list(client_id = client_id,
redirect_uri = oauth_callback()))
code <- oauth_listener(url) ## needed to provide credentials in the web browser
access_token <- POST(modify_url(base_url, path = "login/oauth/access_token"),
add_headers(Accept = "application/json"),
body = list(client_id = client_id,
client_secret = client_secret,
code = code$code))
## successfully returns the values
GET("https://api.github.com/rate_limit",
add_headers(Authorization = paste(content(access_token)$access_token,
"OAUTH-TOKEN")))
From this example I think I understand the steps as highlighted in the documentation.
However, I fail to see how I could use this to login to https://adventofcode.com/2021. I have, of course, not the client_secret nor can I redirect the response to my localhost (as GitHub requires that the stored callback matches the redirect URI).
Thus, I was wondering how I could programatically login to https://adventofcode.com/2021 to fetch my task data, say?
I think you are mismatching OAuth2 roles. If you want to use adventofcode.com, you are a resource owner, adventofcode.com is a client and github is an authorization server. So you authenticate, adventofcode.com gets an auth code and then tokens. They can use the tokens to get information about your github account.
The example code you posted is different - your application is a client that gets a code and tokens from the authorization server (github) after a user was authenticated and gave a consent to passing the tokens to your app (permission delegation). So you probably cannot include adventofcode.com into this scenario.
The only way is if adventofcode.com takes a role of a resource server and their API accepts github tokens from different clients. But I know nothing about their API.

Using httr in R to establish an implicit Oauth2 flow with StackOverflow.com

I am trying to establish an "implicit" Oauth2 authorization flow for my test connect in R to StackOverflow via the StackExchange API.
I am in situation #3 of this related post, that specifies how to set the redirect_uri and other values in a lanugage-agnostic way.
I've taken the steps described, namely setting up the app on StackApps.com to enable implicit authentication.
I've replicated the linked instructions in R with the httr library, the only major adaptation is that apparently httr requires the client secret earlier in the process than StackOverflow actually requires it.
library(httr)
# in the StackApps answer stackoverflow.com was used here.
# that just took me to the landing page.
# the docs use this URI and it gets me closer but
# it just says "Authorizing Application" with a blank page under that
# and it never completes.
end <- oauth_endpoint(authorize = "stackoverflow.com/oauth",
access = "stackoverflow.com/oauth")
client_secret = "secret_code_here"
myapp <- oauth_app("myapp",
key = "12665", # not a secret
secret = client_secret,
redirect_uri="https://stackexchange.com/oauth/login_success")
token <- oauth2.0_token(end,
myapp,
scope=NULL)
#,use_oob=T)
When I run my code a browser automatically opens and goes to StackOverflow.com. However, it just takes me to the landing page and Oauth never completes.
I tried it with use_oob=T and the only difference was that R prompted me for an authorization code that was never provided.

Configuring listener_endpoint in httr when using Rstudio server

I;'m struggling to connect to Google Analytics with httr oauth2.0 function
oauth2.0_token(oauth_endpoints("google")
, oauth_app("google", client.id, client.secret)
, scope = "https://www.googleapis.com/auth/analytics.readonly")
It works perfectly in my local Rstudio, but it breaks in AWS-based Rstudio Server. The error appears when I agree to pass data in browser and Google redirects me to the page
http://localhost:1410/?state=codehere
When launching authentication in local Rstudio, browser responds with a message - Authentication complete. Please close this page and return to R, incase of Rstudio server it's just This webpage is not available
I suspect I need to change listener_endpoint configuration, but how? Should I put my Rstudio server address instead of default 127.0.0.1? Or is it flaw of httr+Rtudio server and I should not bother?
Your redirect URI is part of the problem. Httr's oauth2.0_token() function identify the correct one. When you set up your project, Google Analytics created two redirect URIs, one that can be used on your RStudio IDE (local) and one that can be used in the RStudio web-based environment for out-of-of band authentication: "urn:ietf:wg:oauth:2.0:oob"
Once you've authenticated, the following code should work.
library(httr)
ga_id <- YourProjectID
client_id <- YourClientID
redirect_uri <- 'urn:ietf:wg:oauth:2.0:oob'
scope <- YourScope
client_secret <- YourSecret
response_type <-'code'
auth1 <- oauth2.0_token(
endpoint = oauth_endpoints("google"),
app = oauth_app(
"google",
key = client_id,
secret = client_secret
),
scope,
use_oob = TRUE,
cache = TRUE
)
-- Ann
You could use out-of-band authentication -
options(httr_oob_default = TRUE)

How to sign R API requests with credentials

I'm trying to use Hackpad's API in R. Unlike the example in httr, the Hackpad documentation
1. uses oauth 1.0 and
2. says that the requests should be signed with your credentials.
I do not completely understand how to do the 2nd part in R (with any library). I understand how to use the request, authorize, and access URLs -- but those are not provided for Hackpad (as far as I can tell).
Here is what I tried in R (to no success):
library(httr)
myapp <- oauth_app("hackpad",
key = mykey,
secret = mysecret)
hackpad_token <- oauth1.0_token(oauth_endpoint(authorize = 'https://hackpad.com/api/1.0/',
request = 'https://hackpad.com/api/1.0/',
access = 'https://hackpad.com/api/1.0/'),
myapp)
and also
req <- GET("https://hackpad.com/api/1.0/pad/k9bpcEeOo2Q/content/latest.html",
config = authenticate(user=myuser,
password=mypass))
which tries to return the API documentation content.
Thank you for your help

Resources