Bad credentails for JWT for GitHub Integrations API

Question

I registered a GitHub integration and downloaded the RSA private key (PEM file). In my PHP script, I am using this library to encode my token, in this way:

use Firebase\JWT\JWT;

$token = [
        "iat" => time(),
        "exp" => time() + 3600,
        "iss" => $my_integration_id
];
$key = file_get_contents($path_to_pem_file);
echo JWT::encode($token, $key, "RS256");

The PEM file is like this (I have already regenerated the private key):

-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA1bT61yW2fo4SI6TZXo+3dsyyxitcsw0kdhoGufsEkgdqbpeF
2/TfJtwYj9Veq11LNHuyoYk51DxUIyoC2Ul45E/s9kOw+qjXDJAOf3z9kq+obcOL
145ivQwsRF8bB1MQf8YsE/jAhVdxdIfRbw4UG8Fn0RPce/WQ18RI7Li4xfM138RP
2MQhZsx289ale7n+OtDzzajC4oj9qlaNFFKpSuCVGf6fqnktCOoFu1+ouB/+u3oc
eneS/qmSxwI7N7MrxOTnoHqhxIiatNFisK85Anc/WZ9duWS9i88GhtK86YMaWnCj
5nodzFwSF6SzBS+iOrI2AJennOTjsOrtjjQXzQIDAQABAoIBAQDKVhoRTfGljRn7
iX8NGwFXh6PUIQYZuN3GvAmWWOYQ5NiOcQQaJ5SIlGbk9940XZZw0JVmgCiym5QF
3ybnV7sQX+Q5ngmYqfdCO7qeVlc3ZP0RP83Nf1BZMYdQDMPogWrjr1vYZPLSzOHs
tRNEFI5RYSLMQAPHkc9bmsp45sR7FXj+tZEjM3NkcF4n8Jud/ARVAX/tzOWfF6A4
rhtGJfqYCvEF69J/dsHyy28egawrTxqPd6d1BKLdOh05xHkFL26wtgJWpHcNAZNZ
DUZs0Twe6Cw3XYQtlUD6D5mkj3zzh5hZ4xsoKftNfD2ZA1N0RVks0j5wrUjPI6jV
bVDRvvbBAoGBAPp2yjhTuchwpVOcGVYnqF1jVgXssSYdiydUglKtxzhta7c23xqK
v5B/cWdsz8mIKFmOcjr97GFUT8K6sZG77im05gDBCV7YuIMwekNmZ3m1MqUWtiZY
sEqCarIYPzQk9iPPxyZrmOVL/5KqlgRj9YmYFzjLpfnaxvk4rIMyVF21AoGBANpu
NLw7LfufPeSbIkSIeZ6X1ndspuZDzWVjgi0hmVdozMwxT1wmfoinJ27gxhKStwmG
9kbYE4QbGBSAlkJqoSf8QWVIH+/Qq9/9mbi1T4p+AgJSYiz1voOGnOk0RoJku6Zn
9XkcGXCUh5ckxWyYbXjHqBqHTXHeJzk9zoRfBuC5AoGBAI1/yPUTkBUGVtCqksHS
u9KuyS2lr9spu7DnlIzjMnbVkpI6hMa49krLRSU6GxXvP2SBDlX3mLDP8hPAZ4s+
0elsErkAVavo4izzmU80rmbbEJamAxgc6NPfZCnjeumZrBlFTGyPQxzf165jg0dN
ta0baJskqktC50BrXULtjy41AoGANa4j06aPlGj8IvRlJYaMrQcPs+XF1o0PKz2b
PlAliS++NOhhYnorWpYJwNwIkYPw66x5VcvAcBTghBld1BC0bkk2IRfqkVstAi0m
3Bfi5lw1TjDE49u46EXqxf0M3vq2ixy9XPgk4GAAOorU4e1L6gTXMT3TMIqyBQVF
fY6E+DECgYEA22HhPud5KLAX6drbMEe54uttiUrs/K3nft/xTYWU1BIG9r/HPKQh
3OWD/Dknek+i5hW89OOROPaUmnjaTR3/ARAxTlpxDdBWKu2mCXS/LcdEWdy7teEu
dDbqqotO4jmTh94FVWgVLDVVmrVSp++fwstI6foPGPABlbsrJxyGUsc=
-----END RSA PRIVATE KEY-----

And I passed this whole string into JWT::encode, and got this output:

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpYXQiOjE0NzQzOTI0NjQsImV4cCI6MTQ3NDM5NjA2NCwiaXNzIjoyMDF9.ZodSJyrq_SJfLTx4ifnCRWC9cbX1NmqOY3bADcuU7Wc18oZnH3EtZErvLgW6-reuR1-flsNbrji2dL9Zsm3rE-1FtEambcs1Xxynz3PE42yFMimQ5WyiAHdJhbh8-fB0hLIxn2I0oBiJbpZp92Rm2E2xxA1m4lmAubatY0JDR3FS4MmjR-pOZRbkgA4QwaTb0Q7R0tSUaoJo1ETLZoApp5ofsyt5hciB7wogTigA08H4r8TBUuSY4LeHWX9IfmDqHh5gVLDHhFXuLp1Qfm-8ltnLMgcelTmA9QE9NxxVcHQtYvNnE-EvXsh04Oqiyg51eq5cDoc4wA_WhTB4w-9NWg

I store this output (without trailing newline, I can confirm) into a Bash variable $JWT, and tried to access the GitHub API like this:

curl -i -H "Accept: application/vnd.github.machine-man-preview+json"\
        -H "Authorization: Bearer $JWT" https://api.github.com/zen

However, the JSON response from GitHub is:

{
  "message": "Bad credentials",
  "documentation_url": "https://developer.github.com/v3"
}

I suspected that it is failing because GitHub API zen is not applicable to integration tokens, but this does not seem to be the issue. Especially, the message says that it is Bad Credentials. But I have already followed all the steps in the GitHub documentation. Am I writing the PHP script wrongly?

Answer 1

I've spent the past three days banging my head against the 401 bad credentials response.

Having just got it working, I can tell you that your initial assumption was correct: if the endpoint isn't set up for integrations then you'll get a 401 back.

One other thing you should check is that the times you send are integers. Sending floats will result in 401. (I'm using Python, and the datetime class doesn't have a method to convert to the Unix epoch, so I wrote my own which was returning fractions of a second)

So: try your existing code against an endpoint which is documented as enabled for integrations and you'll probably find it works.

Remember that your first request should be to GET /integration/installations with the header Authorization: Bearer $JWT

Then read access_tokens_url from the response, and POST to that URL with the same authorization header as the last request. (If your integration is enabled for more than one installation then you'll have more than one URL)

Then you'll get a token field in the response, at which point you should modify the header so that it's Authorization: token $TOKEN.

You also get an expiry time sent back with the access token, which you should store so you can re-authenticate if necessary.