Support Bearer token auth

[fotinakis]

The new GitHub Integrations requires JWT tokens with Bearer token authentication.

It would be great to have a new bearer authentication type. Even better, it would be awesome if we could do the JWT token generation through Octokit.

[tommoor]

@joeyw what do you think about adding a private_pem authentication type that would essentially wrap the bearer type and correctly create the JWT token

[fotinakis]

Just for reference, here's the code I'm using right now, would be great to have as much of this baked into Octokit as possible:

def github_client(installation_id)
  # TODO: drop this header once GitHub Integrations are officially released.
  accept = 'application/vnd.github.machine-man-preview+json'

  # Use a temporary JWT to get an access token, scoped to the integration's installation.
  headers = {'Authorization' => "Bearer #{new_jwt_token}", 'Accept' => accept}
  access_tokens_url = "/installations/#{installation_id}/access_tokens"
  access_tokens_response = Octokit::Client.new.post(access_tokens_url, headers: headers)
  access_token = access_tokens_response[:token]

  Octokit::Client.new(access_token: access_token)
end

# Generate the JWT required for the initial GitHub Integrations API handshake.
# https://developer.github.com/early-access/integrations/authentication/#as-an-integration
def new_jwt_token
  private_pem = File.read(GITHUB_INTEGRATION_KEY_PATH)
  private_key = OpenSSL::PKey::RSA.new(private_pem)
  payload = {
    iat: Time.now.to_i,  # Issued at time.
    exp: 10.minutes.from_now.to_i,  # JWT expiration time.
    iss: GITHUB_INTEGRATION_ID  # Integration's GitHub identifier.
  }
  JWT.encode(payload, private_key, 'RS256')
end

[clarkbw]

Just wanted to note that the /integration/installations method would also want to share the new_jwt_token method as well.

This method requires bearer auth instead of the token and looks something like this:

def github_installations
  # TODO: drop this header once GitHub Integrations are officially released.
  accept = 'application/vnd.github.machine-man-preview+json'

  # Use a temporary JWT to get the list of installations
  headers = {'Authorization' => "Bearer #{new_jwt_token}", 'Accept' => accept}
  installations_url = "/integration/installations"
  installations_response = Octokit::Client.new.get(installations_url, headers: headers)
  repositories = installations_response[:repositories]
  repositories
end

[tarebyte]

👋 I merged #825 yesterday and I opened a PR for to add the new Integration endpoints #871

I would really like the JWT stuff to be baked into Octokit as well, however I really don't want to add another dependency to Octokit if I can avoid it.

So for the mean time I think I'm going to hold off on adding support.

[kytrinyx]

We now have support for the Bearer keyword, and we will not be adding the JWT dependency at this time.

Thanks all! ✨