Question about Github API Authentication

That's interesting. Do you know where I could find the documentation for this?

And with your approach, did you then just authenticate the API request like you normally would (through questmate) within the function body?

In our case, the API authentication is based on tokens acquired through OAuth2, just like Github. The documentation for that lives here: https://developer.atlassian.com/platform/forge/runtime-reference/external-fetch-api/

Edit: Actually, the best place to look for an example is: https://developer.atlassian.com/platform/forge/manifest-reference/providers/#authentication

I also just remembered setting this up with Github in the past, so it definitely should work. If you have problems though let me know, and I can quickly jump on a Zoom call and help you out.

I never found any of this documentation. Thanks. I'll give this a go and get back to this thread.

Hi @John Medina @Sascha Reuter , as far as I know, the externalAuthentication Forge module only supports 3LO authentication flows currently (e.g. with user context). Github Apps by nature act on their own behalf (2LO) and don't use user-based authentication, so I'm not sure they would work with the forge authentication module.

For the Compass Github app we developed in house, we're using a Github App and the following guide explains the authentication steps: https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-a-github-app

In short, the GitHub App has a private key, and our Forge app uses that key to sign a JWT to communicate with the GitHub app. We also need to use the installation_id returned from the installation flow to generate an Installation Access Token, or IAT, which the Forge app can use to communicate with a specific GitHub app installation and get information from the connected Github org, repos, etc. If you're getting a 401 response, it might be that you're using the wrong token for the API call you're making (like using the JWT to get installation-specific information). It's hard to say without seeing the code.

Github App setup is a complicated process to say the least. If you want to use the built in Forge module, another option is to create an Oauth app on the Github side instead, which acts on behalf of a user. You can read more on the differences here: https://docs.github.com/en/developers/apps/getting-started-with-apps/differences-between-github-apps-and-oauth-apps. There are some marked differences, since the app will be acting as a user and will be limited to the scopes the user has. But it's probably simpler to set up :) 

Hopefully this helps, and if not, happy to discuss more about our implementation and how we decided between using a Github App or an Oauth App.

Hi @Henry Olson , I have attempted to follow the documentation you've sent above.

I am still however running into various issues (namely `undefined installation tokens` and `JSON Webtokens unable to be decoded`) with my Compass app implementation.

I have recreated the same methods I'm using to authenticate my API calls in a local node.js app, and each approach work just fine.

It would be great if we could have a discussion to help figure out what I may be missing when it comes to authenticating a Github App installation in Compass.