Cannot create scoped token to upload organisation package, but newly personal general token works.

[Carreau]

• IPython has recently been moved to Jupyter Org.
• It now requires 2FA to publish.
• I tried publishing with username password, got refused as I need token. Make sens.
• Go to https://pypi.org/manage/project/ipython/settings/ click "create token for IPython".
• Get redirected to "https://pypi.org/manage/account/token/"
• Give a names and try to select Scope (IPython not present).

Question 1)

1. How am I supposed to create an IPython scope token ? Should I have been redirected to maybe https://pypi.org/manage/org/token/ ? Or is a personal token used to upload and IPython scope should be present ?

• Curious I try to create a token with all permissions.
• Try it.
• twine upload works.
• <pickachu face>

Question 2)

• Was i suppose to be able to upload if I can't create a scope token ?
• Is some of the logic wrong ?

Also uploading to https://upload.pypi.org/legacy/ returned HTML though it's an API endpoint, it maybe return something machine/terminal readable ?

[di]

I can confirm that projects that are in an organization are not being included in the list of scopes when creating a token at https://pypi.org/manage/account/token/, this seems to be a bug.

Also uploading to https://upload.pypi.org/legacy/ returned HTML though it's an API endpoint, it maybe return something machine/terminal readable ?

Are you able to share what the response was here?

[di]

The list of projects comes from here: https://github.com/pypi/warehouse/blob/cec621ac90b2a6e19760759e489c03616469c4eb/warehouse/manage/views/init.py#L842-L844

[Carreau]

Are you able to share what the response was here?

twine upload --verbose dist/ipython-8.14.0*
INFO     Using configuration from ...
Uploading distributions to https://upload.pypi.org/legacy/
INFO     dist/ipython-8.14.0-py3-none-any.whl (780.0 KB)
INFO     dist/ipython-8.14.0.tar.gz (5.2 MB)
INFO     username set from config file
INFO     password set from config file
INFO     username: ...
INFO     password: <hidden>
Uploading ipython-8.14.0-py3-none-any.whl
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 814.4/814.4 kB • 00:01 • 817.1 kB/s
INFO     Response from https://upload.pypi.org/legacy/:
         401 User mbussonn has two factor auth enabled, an API Token or Trusted Publisher must be used to upload in place of
         password.
INFO     <html>
          <head>
           <title>401 User mbussonn has two factor auth enabled, an API Token or Trusted Publisher must be used to upload in
         place of password.</title>
          </head>
          <body>
           <h1>401 User mbussonn has two factor auth enabled, an API Token or Trusted Publisher must be used to upload in place
         of password.</h1>
           This server could not verify that you are authorized to access the document you requested.  Either you supplied the
         wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials
         required.<br/><br/>
         User mbussonn has two factor auth enabled, an API Token or Trusted Publisher must be used to upload in place of
         password.


          </body>
         </html>
ERROR    HTTPError: 401 Unauthorized from https://upload.pypi.org/legacy/
         User mbussonn has two factor auth enabled, an API Token or Trusted Publisher must be used to upload in place of
         password.

There is already a 401, but I was astonished seeing html send to twine.

Twine 4.0.2

[di]

Ah, I thought you meant there was HTML in the error message. This is expected, this is how errors are communicated to twine, and you shouldn't see this unless you have verbosity turned on: https://github.com/pypa/twine/blob/0bb428c410b8df64c04dc881ac1db37d932f3066/twine/commands/upload.py#L149-L151

[Carreau]

Ok, fair.

[di]

Confirming that this is a bug. Plan is for a two stage fix:

• Short term, allow users to create project-scoped tokens for projects owned by orgs
• Long term, allow org owners/maintainers to see all project-scoped tokens for users in the org (including revocation)

[maxnoe]

We also just ran into this in our organization. Could this be addressed?

As a workaround, we had to add individual people back to the organization-owned project as "external collaborators".

[wetneb]

Beyond this, it would be useful to be able to create API tokens that are scoped to an organization. They would allow uploading new versions for all projects owned by that organization. Is this the right place to request this, or should I open a new issue for it?