Opened 5 years ago
Closed 5 years ago
#5061 closed task (blessed) (fixed)
Upgrade GitHub OAuth Usage
Reported by: | pento | Owned by: | dd32 |
---|---|---|---|
Milestone: | Priority: | normal | |
Component: | Profiles | Keywords: | |
Cc: |
Description
I received this email from GitHub with regards to how WordPress.org authenticates GitHub profiles.
Hello there!
On February 26th, 2020 at 00:18 (PST), your application (WordPress.org Profiles) issued a request using the deprecated form of OAuth Application API that includes access tokens in the URL path. GitHub has deprecated these endpoints and replaced them with a version that accepts access tokens in the request body.
The deprecated endpoints will be removed on July 1st, 2020 at 4:00 PM UTC.
Please visit https://developer.github.com/changes/2020-02-14-deprecating-oauth-app-endpoint for more information about suggested changes, brownouts, and removal dates.
Thanks,
The GitHub Team
Change History (4)
#2
@
5 years ago
What GitHub is doing is deprecating the auth token in a query arg.
The solution is to use the same auth token in a Basic Auth header.
The format from the http_request_args
filter is
$args['headers']['Authorization'] = token my_current_auth_token';
Assuming the authentication is via wp_remote_get()
#3
@
5 years ago
I think this is fixed as of r15784-dotorg.
-
class-api-endpoint.php
47 47 48 48 // Revoke our access to that users token 49 49 $api = $this->make_api_request( 50 '/applications/' . CLIENT_ID . '/grant s/' . $access_token,51 null,50 '/applications/' . CLIENT_ID . '/grant', 51 json_encode( [ 'access_token' => $access_token ] ), 52 52 [ 'Authorization' => 'BASIC ' . base64_encode( CLIENT_ID . ':' . CLIENT_SECRET ) ], 53 53 'DELETE' 54 54 );
#4
@
5 years ago
- Resolution set to fixed
- Status changed from accepted to closed
Looks like that was all that was affected based on the Endpoints affected
listing on https://developer.github.com/changes/2020-02-14-deprecating-oauth-app-endpoint/
wporg-profiles-github-link$ grep '/token' . -r No Results wporg-profiles-github-link$ grep '/grant' . -r ./class-api-endpoint.php: '/applications/' . CLIENT_ID . '/grant',
I've been looking into this today, it looks like it affects the
DELETE
unlinking functionality, so should be a simple change.