https://aznot.com/index.php?action=history&feed=atom&title=GitHub%2FJWT
GitHub/JWT - Revision history
2026-04-17T04:30:47Z
Revision history for this page on the wiki
MediaWiki 1.41.0
https://aznot.com/index.php?title=GitHub/JWT&diff=6316&oldid=prev
Kenneth at 01:15, 6 July 2023
2023-07-06T01:15:55Z
<p></p>
<p><b>New page</b></p><div>== JSON Web Tokens (JWTs) ==<br />
<br />
"In order to authenticate as an app or generate an installation access token, you must generate a JSON Web Token (JWT). If a REST API endpoint requires a JWT, the documentation for that endpoint will indicate that you must use a JWT to access the endpoint."<br />
<br />
Usage:<br />
curl --request GET \<br />
--url "https://api.github.com/app" \<br />
--header "Accept: application/vnd.github+json" \<br />
--header "Authorization: Bearer [YOUR_JWT]" \<br />
--header "X-GitHub-Api-Version: 2022-11-28"<br />
<br />
Install python jwt:<br />
pip install jwt<br />
<br />
make_jwt.py:<br />
<pre><br />
#!/usr/bin/env python3<br />
import jwt<br />
import time<br />
import sys<br />
<br />
# Get PEM file path<br />
if len(sys.argv) > 1:<br />
pem = sys.argv[1]<br />
else:<br />
pem = input("Enter path of private PEM file: ")<br />
<br />
# Get the App ID<br />
if len(sys.argv) > 2:<br />
app_id = sys.argv[2]<br />
else:<br />
app_id = input("Enter your APP ID: ")<br />
<br />
# Open PEM<br />
with open(pem, 'rb') as pem_file:<br />
signing_key = jwt.jwk_from_pem(pem_file.read())<br />
<br />
payload = {<br />
# Issued at time<br />
'iat': int(time.time()),<br />
# JWT expiration time (10 minutes maximum)<br />
'exp': int(time.time()) + 600,<br />
# GitHub App's identifier<br />
'iss': app_id<br />
}<br />
<br />
# Create JWT<br />
jwt_instance = jwt.JWT()<br />
encoded_jwt = jwt_instance.encode(payload, signing_key, alg='RS256')<br />
<br />
print(f"JWT: {encoded_jwt}"<br />
</pre><br />
<br />
ref: [https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app]<br />
<br />
== Authenticating App ==<br />
<br />
<br />
== Notes ==<br />
<br />
ref: [https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation#generating-an-installation-access-token]<br />
<br />
Generating a user access token for a GitHub App - GitHub Docs<br />
https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app<br />
<br />
# GitHub CLI api<br />
# https://cli.github.com/manual/gh_api<br />
<br />
gh api \<br />
--method POST \<br />
-H "Accept: application/vnd.github+json" \<br />
-H "X-GitHub-Api-Version: 2022-11-28" \<br />
/orgs/ORG/actions/runners/registration-token<br />
<br />
<br />
Permissions required for GitHub Apps - GitHub Docs<br />
https://docs.github.com/en/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#organization-self-hosted-runners<br />
<br />
fpe-devops/github-app-token: A private copy of tibdex/github-app-token<br />
https://github.com/fpe-devops/github-app-token<br />
<br />
tibdex/github-app-token: Impersonate a GitHub App in a GitHub Action<br />
https://github.com/tibdex/github-app-token<br />
<br />
Differences between GitHub Apps and OAuth apps - GitHub Docs - Machine vs. bot accounts<br />
https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/differences-between-github-apps-and-oauth-apps#machine-vs-bot-accounts<br />
<br />
Installation ID:<br />
Where can we find GitHub Apps Installation ID? - Stack Overflow<br />
https://stackoverflow.com/questions/74462420/where-can-we-find-github-apps-installation-id<br />
<br />
<pre><br />
For GitHub Apps created under Organizations:<br />
<br />
Go to the Organization settings<br />
Click on 'GitHub Apps' under 'Third-party Access'<br />
If there are multiple GitHub apps, choose your App and click on 'Configure'<br />
Once your GitHub App is selected check the URL for obtaining 'GitHub App Installation ID'<br />
<br />
The URL looks like this:<br />
<br />
https://github.com/organizations/<Organization-name>/settings/installations/<ID><br />
<br />
Pick the <ID> part and that's your GitHub App Installation ID.<br />
<br />
For GitHub Apps created under Repository, you can find this under repository settings.<br />
</pre><br />
<br />
<br />
<pre><br />
- name: Get Installation Token<br />
uses: tibdex/github-app-token@v1<br />
id: get_installation_token<br />
with: <br />
app_id: 335706<br />
# installation_id not needed IF the app is installed on this current repo<br />
installation_id: 37655626<br />
private_key: ${{ secrets.PRIVATE_KEY }}<br />
</pre><br />
<br />
make-jwt.py Python:<br />
<pre><br />
#!/usr/bin/env python3<br />
import jwt<br />
import time<br />
import sys<br />
<br />
# Get PEM file path<br />
if len(sys.argv) > 1:<br />
pem = sys.argv[1]<br />
else:<br />
pem = input("Enter path of private PEM file: ")<br />
<br />
# Get the App ID<br />
if len(sys.argv) > 2:<br />
app_id = sys.argv[2]<br />
else:<br />
app_id = input("Enter your APP ID: ")<br />
<br />
# Open PEM<br />
with open(pem, 'rb') as pem_file:<br />
signing_key = jwt.jwk_from_pem(pem_file.read())<br />
<br />
payload = {<br />
# Issued at time<br />
'iat': int(time.time()),<br />
# JWT expiration time (10 minutes maximum)<br />
'exp': int(time.time()) + 600,<br />
# GitHub App's identifier<br />
'iss': app_id<br />
}<br />
<br />
# Create JWT<br />
jwt_instance = jwt.JWT()<br />
encoded_jwt = jwt_instance.encode(payload, signing_key, alg='RS256')<br />
<br />
#print(f"JWT: {encoded_jwt}")<br />
print(f"{encoded_jwt}")<br />
</pre><br />
<br />
Generate GitHub App Installation Token:<br />
<pre><br />
#! /bin/tcsh<br />
<br />
set PRIVATE_KEY='create-repos.2023-05-26.private-key.pem'<br />
set APP_ID='339112'<br />
set INSTALLATION_ID='37930554' # In the URL when you configure the app<br />
set JWT=`./make-jwt.py $PRIVATE_KEY $APP_ID`<br />
set INSTALLATION_TOKEN=`curl -s --request POST --url "https://api.github.com/app/installations/$INSTALLATION_ID/access_tokens" --header "Accept: application/vnd.github+json" --header "Authorization: Bearer $JWT" --header "X-GitHub-Api-Version: 2022-11-28" | python -c "import sys, json; print(json.load(sys.stdin)['token'])"`<br />
setenv GH_TOKEN $INSTALLATION_TOKEN<br />
echo GH_TOKEN: $GH_TOKEN<br />
</pre><br />
<br />
---<br />
<br />
JSON Web Tokens - jwt.io<br />
https://jwt.io/<br />
JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.<br />
<br />
---<br />
<br />
Generating a JSON Web Token (JWT) for a GitHub App - GitHub Docs<br />
https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app#about-json-web-tokens-jwts<br />
<br />
<pre><br />
curl --request GET \<br />
--url "https://api.github.com/app" \<br />
--header "Accept: application/vnd.github+json" \<br />
--header "Authorization: Bearer YOUR_JWT" \<br />
--header "X-GitHub-Api-Version: 2022-11-28"<br />
</pre><br />
<br />
---<br />
<br />
[6/2 3:15 PM] Khaled El Hussein<br />
<br />
GitHub App documentation is here: https://docs.github.com/en/apps/overview<br />
<br />
Creating an app (it requires Org Owner which I can help with): https://docs.github.com/en/apps/creating-github-apps/setting-up-a-github-app/creating-a-github-app<br />
<br />
Permissions: https://docs.github.com/en/apps/creating-github-apps/setting-up-a-github-app/choosing-permissions-for-a-github-app<br />
<br />
Authenticate your system/Jenkins/Tool to this github app, couple of options: <br />
<br />
Using SDK (in javascript) https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation#using-octokitjs-to-authenticate-with-an-installation-id<br />
<br />
JWT Token for Rest APIs: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation#using-an-installation-access-token-to-authenticate-as-an-app-installation<br />
<br />
---<br />
<br />
Self-hosted runners - GitHub Docs - Create a registration token for an organization<br />
https://docs.github.com/en/rest/actions/self-hosted-runners?apiVersion=2022-11-28#create-a-registration-token-for-an-organization</div>
Kenneth