GitHub Maven Authentication

[abdelmoez-guetat]

Select Topic Area

Bug

Body

GitHub Maven Authentication Bug

Issue Description

When attempting to build a project, Maven fails to resolve dependencies due to authentication issues when accessing GitHub packages. The error message suggests that the authentication information provided in the settings.xml file is not in the correct format.

Error Message

[ERROR] Failed to execute goal on project ***: Could not resolve dependencies for project **:**:war:1.0.0-SNAPSHOT: Failed to collect dependencies at **:**:jar:1.0.0-SNAPSHOT: Failed to read artifact descriptor for **:**:jar:1.0.0-SNAPSHOT: Could not transfer artifact **:**:pom:1.0.0-20240415.093538-350 from/to github (https://maven.pkg.github.com/MY_ORG/*): transfer failed for https://maven.pkg.github.com/MY_ORG/*/**/**/**/1.0.0-SNAPSHOT/**-1.0.0-20240415.093538-350.pom, status: 400 Authentication information is not given in the correct format. Check the value of Authorization header. -> [Help 1]

Settings.xml Configuration

<servers>
    <server>
        <id>github</id>
        <configuration>
            <httpHeaders>
                <property>
                    <name>Authorization</name>
                    <value>Bearer MyTokenHere</value>
                </property>
            </httpHeaders>
        </configuration>
    </server>
</servers>

The provided settings.xml file contains the necessary authentication configuration for accessing GitHub packages.

Additional Context

Maven attempts to retrieve metadata from https://mavenregistryv2prod.blob.core.windows.net/mavenregistryv2prod/blobs/....

A cURL request using the Authorization header fails:

curl -H "Authorization: Bearer MyTokenHere" 'https://mavenregistryv2prod.blob.core.windows.net/mavenregistryv2prod/blobs/124037065/****/1.0.0-SNAPSHOT/4d52eb80-fb1c-11ee-9a11-eb4ecd1f897f?se=2024-04-15T11%3A55%3A48Z&sig=2GRYlvPWHcavoSuWE0TOxt3bhVd4GvR2QG4Wt6ALKGc%3D&sp=r&spr=https&sr=b&sv=2020-04-08'

However, changing Authorization to X-Github-Token resolves the issue:

curl -H "X-Github-Token: Bearer MyTokenHere" 'https://mavenregistryv2prod.blob.core.windows.net/mavenregistryv2prod/blobs/124037065/****/1.0.0-SNAPSHOT/4d52eb80-fb1c-11ee-9a11-eb4ecd1f897f?se=2024-04-15T11%3A55%3A48Z&sig=2GRYlvPWHcavoSuWE0TOxt3bhVd4GvR2QG4Wt6ALKGc%3D&sp=r&spr=https&sr=b&sv=2020-04-08'

This adjustment successfully retrieves the necessary metadata. However, when changing Authorization to X-Github-Token in the settings.xml file, a 401 Unauthorized error is encountered.

[L00kian]

@abdelmoez-guetat Bearer token auth with header worked for me for some time, though at this point I am not certain if it was documented or I just found that somewhere on stackoverflow. However it seems that it is no longer the case

As Github documentation suggests - I used username/password authentication instead and it works

https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry#authenticating-with-a-personal-access-token

[berry120]

Writing my notes up here in case they're useful for others. tl;dr is, instead of defining the header directly, do:

    <server>
      <id>github</id>
      <username>USERNAME</username>
      <password>ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxx</password>
    </server>

Replace ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxx with your token, but crucially you don't need to replace USERNAME with your actual username.

The longer explanation:

https://maven.pkg.github.com doesn't seem to be the direct URL for packages, it always returns a 302 (redirect) with a link to elsewhere that doesn't require authentication. It seems that redirected domain has recently changed - for older packages it seems to have typically been githubusercontent.com, and for newer packages it's mavenregistryv2prod.blob.core.windows.net.

Ordinarily this wouldn't matter because it's a straight redirect, but Maven also forwards the authorization header onto the redirected URL. The older URL didn't require it, but also didn't care if it was there, so no problem. The newer URL though does care, insists on not having it, and seems to throw the Authentication information is not given in the correct format error with a 400 if a needless authorization header is present.

This is also why curl works when you specify the -L flag (to get it to follow redirects), because, at least on newer versions of curl, the authorization header isn't forwarded on - so the redirection works and the file is returned. If you allow curl to forward on the auth information to the redirected URL by specifying --location-trusted, it fails in the same way.

On the flip side, if you specify the above specifically in user / pass format, it seems Maven doesn't pass that auth on, Github ignores the username, just looks at the token, and so all is happy.

As a disclaimer, the above is purely anecdotal from the poking around I've done. I could be entirely wrong or missing the mark, but it seems to line up.