Unable to push to organization with OAuth App restrictions

[Raymo111]

Describe the bug

git push in command line works, but pushing through GH desktop does not. Same issue with publishing a new branch. It does work when I push to one of my own repositories, but it doesn't if I push to a repo where I have write access but do not own, even when I am the only owner in an organization.

Version & OS

2.1.0-linux1

Steps to reproduce the behavior

1. Make any change or create a new branch, to a repo that you have write access to but is not under your account.
2. Click Push or Publish branch.
3. Auth error pops up and cannot write to repo.

Expected behavior

I should be able to write to any repo that I have write access to.

Screenshots

Logs

2020-02-17T21:13:20.848Z - info: [ui] [AppStore] loading 11 repositories from store
2020-02-17T21:13:20.849Z - info: [ui] [AppStore] found account: Raymo111 (Raymond Li)
2020-02-17T21:13:21.735Z - info: [ui] [BranchPruner] Pruning 0 branches that have been merged into the default branch, master (97c040e6dc4e9e1bc78046936cfe01f126903074), from 'smoothie-web
2020-02-17T21:13:22.010Z - info: [ui] launching: 2.1.0-linux1 (Linux 5.5.4-arch1-1)
2020-02-17T21:13:22.010Z - info: [ui] execPath: '/opt/github-desktop/github-desktop'
2020-02-17T21:13:31.948Z - info: [ui] [Timing] Action 'create commit' for 'bayviewcomputerclub/smoothie-web' took 0.669s
2020-02-17T21:13:33.968Z - info: [ui] [AppStore.withAuthenticatingUser] account found for repository: smoothie-web - Raymo111 (has token)
2020-02-17T21:14:02.227Z - info: [ui] [AppStore.withAuthenticatingUser] account found for repository: smoothie-web - Raymo111 (has token)
2020-02-17T21:14:03.333Z - info: [ui] Executing push: git -c credential.helper= -c protocol.version=2 push origin master:master --progress (took 1.065s)

Additional context

Executing git -c credential.helper= -c protocol.version=2 push origin master:master --progress from command line and then typing in CORRECT username and password gives:

Username for 'https://github.com': Raymo111
Password for 'https://[email protected]': 
remote: Invalid username or password.
fatal: Authentication failed for 'https://github.com/BayviewComputerClub/smoothie-web.git/'

However, just doing git -c protocol.version=2 push origin master:master --progress works:

Enumerating objects: 19, done.
Counting objects: 100% (19/19), done.
Delta compression using up to 8 threads
Compressing objects: 100% (6/6), done.
Writing objects: 100% (10/10), 1.36 KiB | 463.00 KiB/s, done.
Total 10 (delta 4), reused 0 (delta 0)
remote: Resolving deltas: 100% (4/4), completed with 4 local objects.
To https://github.com/BayviewComputerClub/smoothie-web.git
   7a3bfc5..91bce88  master -> master

So it's an issue with -c credential.helper=.

[shiftkey]

@Raymo111 thanks for the report. Some initial thoughts:

Executing git -c credential.helper= -c protocol.version=2 push origin master:master --progress from command line and then typing in CORRECT username and password gives:

Username for 'https://github.com': Raymo111
Password for 'https://[email protected]': 
remote: Invalid username or password.
fatal: Authentication failed for 'https://github.com/BayviewComputerClub/smoothie-web.git/'

It's weird that you couldn't correctly authenticate here with your username/password. Maybe that was just due to a typo. Maybe it's something else.

However, just doing git -c protocol.version=2 push origin master:master --progress works:

...

So it's an issue with -c credential.helper=.

Without credential.helper being unset it'll default to whatever you have configured for credential.helper, so this just means that you have this working correctly on the command line.

GitHub Desktop has it's own authentication handler, which is why it unsets credential.helper (to prevent it clashing with other tools). I see from the logs that you've got an active account on GitHub, but maybe something's changed.

Could you try signing out and in again within the app to see if that changes this behaviour?

[Raymo111]

@shiftkey I've tried signing out and signing in again, and also confirmed that I'm using the correct username and password.

[shiftkey]

@Raymo111 do you know if the organization has OAuth app access restrictions enabled? Because of #72 it might be that the app isn't trusted for this organization.

This is different to providing your credentials on the command line, because Desktop requests a token from GitHub which can be revoked at a later time by you.

[Raymo111]

@shiftkey Yes, that's the case. Seems like that's enabled by default, and you need to disable it to use GH desktop?

[shiftkey]

It's been around since 2015, and I forget when it became the default for newer orgs.

There's a process for requesting apps but I think I'd prefer to just setup a different OAuth app and resolve #72. I guess I need to distinguish it from the main project before users request access to orgs like this.

[Raymo111]

@shiftkey Perhaps add a note in readme to link to a wiki page on allowing oauth?

[Raymo111]

Wait but the main GH desktop doesn't have the enable for organizations option though in profile. Why does the Linux port have it?

[rsheng118]

i'm having similar issue. after login through linux version, it will not show any organization repo. and when i try to check out a organization repo, it will error out saying auth failed. when i'm trying to login through browser redirect, the app require a separate Oauth app authentication for organization repo, i'm using ubuntu 19.10 this behavior is not present on window and mac version of desktop, both will not require additional Oauth credential and will display organization repo after login.

[Daniel22L]

I am having the same problem. I can clone and push my repositories or repositories that I have access through GitHub Desktop in Linux, but I cannot with repositories which their owner is a organization. I do not have this problem in GitHub Desktop in Windows.

[BoQsc]

Still happening.

If you try to go to the folder and push manually this is what I've got:

naudotojas@naudotojas-N53SV:~/Documents/GitHub/my-linux-kernel-shell$ git push
Username for 'https://github.com': boqsc
Password for 'https://[email protected]': 
remote: Support for password authentication was removed on August 13, 2021. Please use a personal access token instead.
remote: Please see https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/ for more information.
fatal: Authentication failed for 'https://github.com/vaido-world/my-linux-kernel-shell.git/'

As the above message mentions, it is no longer possible to authenticate with a regular method of username and password on git push anymore. Warns and explains to use Personal Access Token to execute.

GitHub Desktop and Personal Access Tokens

GitHub Desktop is probably outdated and does not support personal access token on Linux.

Manually pushing changes

Generating personal access token is a proper way to authenticate and push changes.

Tutorial on generating Personal Access Token:
https://techglimpse.com/git-push-github-token-based-passwordless/

Example: Personal Access Token usage via git push command: git push https://<GITHUB_ACCESS_TOKEN>@github.com/<GITHUB_USERNAME>/<REPOSITORY_NAME>.git

Manually temporary resolving this issue for a single git repository

You can go into .git folder and open up config file. Find remote origin url line there and replace its content with

url = https://<GITHUB_ACCESS_TOKEN>@github.com/<GITHUB_USERNAME>/<REPOSITORY_NAME>.git

Before

After

Then you can go to the GitHub Desktop and press the push button and it will push properly using your personal token.

[PapamichMarios]

@BoQsc This works!

[gimbling-away]

Any update?

[pnyro]

Same issue here

[aminya]

Manually temporary resolving this issue for a single git repository

You can go into .git folder and open up config file. Find remote origin url line there and replace its content with

url = https://<GITHUB_ACCESS_TOKEN>@github.com/<GITHUB_USERNAME>/<REPOSITORY_NAME>.git

Amazing, this solution fixed my problem. I can push and pull and check out the branches.

However, the View on GitHub button is disabled for me, which is not a big issue (I am using 3.1.5-linux2 on Kubuntu 22.10). On Windows, it worked without needing me to change the URL, so something is missing here.

This is what I get in the dev tools after replacing the URL:

[fetchProtectedBranches] unable to list protected branches
Error: Although you appear to have the correct authorization credentials, the `x` organization has enabled OAuth App access restrictions, meaning that data access to third-parties is limited. For more information on these restrictions, including how to enable this app, visit https://docs.github.com/articles/restricting-access-to-your-organization-s-data/
    at Dt (/home/aminya/webpack:/[name]/app/src/lib/http.ts:178:11)
    at vn.fetchProtectedBranches (/home/aminya/webpack:/[name]/app/src/lib/api.ts:1355:7)
    at Zn.updateBranchProtectionsFromAPI (/home/aminya/webpack:/[name]/app/src/lib/stores/app-store.ts:3961:11)

[theofficialgman]

Still having this issue

2023-12-20T03:19:21.334Z - info: [ui] [AppStore.getAccountForRemoteURL] account found for remote: https://github.com/Pi-Apps-Coders/website.git - theofficialgman (has token)
2023-12-20T03:19:26.048Z - info: [ui] Executing clone: git -c credential.helper= -c init.defaultBranch=master clone --recursive --progress -- https://github.com/Pi-Apps-Coders/website.git /home/gman/Documents/GitHub/website (took 4.712s)
2023-12-20T03:19:26.062Z - info: [ui] [AppStore] adding repository at /home/gman/Documents/GitHub/website to store
2023-12-20T03:19:26.258Z - info: [ui] [BranchPruner] Last prune took place 5 hours ago - skipping
2023-12-20T03:19:26.667Z - info: [ui] [BranchPruner] No branches to prune.
2023-12-20T03:20:30.432Z - info: [ui] [Timing] Action 'create commit' for 'Pi-Apps-Coders/website' took 0.110s
2023-12-20T03:20:31.484Z - info: [ui] [AppStore.withAuthenticatingUser] account found for repository: website - theofficialgman (has token)
2023-12-20T03:22:13.992Z - info: [ui] [AppStore.withAuthenticatingUser] account found for repository: website - theofficialgman (has token)
2023-12-20T03:22:17.028Z - info: [ui] Executing push: git -c credential.helper= push origin master:master --progress (took 3.030s)
2023-12-20T03:22:17.029Z - error: [ui] `git -c credential.helper= push origin master:master --progress` exited with an unexpected code: 128.
stderr:
Warning: Permanently added 'github.com' (ED25519) to the list of known hosts.
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

(The error was parsed as 2: Authentication failed. Some common reasons include:

- You are not logged in to your account: see File > Options.
- You may need to log out and log back in to refresh your token.
- You do not have permission to access this repository.
- The repository is archived on GitHub. Check the repository settings to confirm you are still permitted to push commits.
- If you use SSH authentication, check that your key is added to the ssh-agent and associated with your account.
- If you use SSH authentication, ensure the host key verification passes for your repository hosting service.
- If you used username / password authentication, you might need to use a Personal Access Token instead of your account password. Check the documentation of your repository hosting service.)

[agrastiOs]

Still having this issue as well. Usually do what https://github.com/shiftkey/desktop/issues/972 suggests as a workaround. If org is big enough, I just do this:

Manually temporary resolving this issue for a single git repository

You can go into .git folder and open up config file. Find remote origin url line there and replace its content with

url = https://<GITHUB_ACCESS_TOKEN>@github.com/<GITHUB_USERNAME>/<REPOSITORY_NAME>.git