Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Copilot Lvl 2
Message 1 of 1

Using JWT to get user info

Hi!

I wrote a script in Ruby to make 3 curl requests. In the first two requests I am asking for GitHub user information using the endpoint https://api.github.com/users/username, the first without a JWT in the header, and the second without a JWT in the header.

 

 

# Generate the JWT
payload = { 
  # The time that this JWT was issued, _i.e._ now.
  iat: Time.now.to_i,

  # JWT expiration time (10 minute maximum)
  exp: Time.now.to_i + (10 * 60),

  # Your GitHub App's identifier number
  iss: APP_IDENTIFIER
}
# Cryptographically sign the JWT.
jwt = JWT.encode(payload, PRIVATE_KEY, 'RS256')

puts "Don't use JWT to get user info"
puts `curl -i -H "Accept: application/vnd.github.machine-man-preview+json" https://api.github.com/users/octocat`

puts "Use JWT to get user info"
puts `curl -i -H "Authorization: Bearer #{jwt}" -H "Accept: application/vnd.github.machine-man-preview+json" https://api.github.com/users/octocat`

puts "Show plans active on my GitHub account"
puts `curl -i -H "Authorization: Bearer #{jwt}" -H "Accept: application/vnd.github.machine-man-preview+json" https://api.github.com/marketplace_listing/accounts/123456`

 

From what I understand, this user info endpoint does not require authentication. But, I would like to be authenticated as an app so that I can have API rate limit.

 

For some reason, when I run this script, the 2nd curl (asking for user info with the jwt in the header) fails. The first curl (with no JWT in the header) succeeds though. I know that I did not insert the jwt incorrectly because the third curl, which uses the same JWT, succeeds.

 

This is what I get from the 2nd curl:

HTTP/1.1 401 Unauthorized
Date: Tue, 13 Aug 2019 23:15:05 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 93
Server: GitHub.com
Status: 401 Unauthorized
X-GitHub-Media-Type: github.machine-man-preview; format=json
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 35
X-RateLimit-Reset: 1565740916
Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type
Access-Control-Allow-Origin: *
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
Content-Security-Policy: default-src 'none'
X-GitHub-Request-Id: 8782:4DF8:4E2B0:5E58C:5D534479

{
  "message": "Bad credentials",
  "documentation_url": "https://developer.github.com/v3"
}

Can someone explain why I'm getting bad credentials error?

Thanks.