[RANCHER-171] Replace Rancher GitHub token for security Created: 26/Jul/21  Updated: 25/Aug/22  Resolved: 25/Aug/22

Status: Closed
Project: rancher
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: P3
Reporter: Julian Ladisch Assignee: kseniia_dubniak
Resolution: Done Votes: 0
Labels: reviewed, security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Duplicate
is duplicated by FOLIO-3169 Update FOLIO Rancher OAUTH token Open
Sprint: Kitfox: sprint 146, Kitfox: sprint 133, Kitfox: sprint 147, Kitfox: sprint 134
Story Points: 2
Development Team: Kitfox

 Description   

Purpose/Overview:

Rancher has a GitHub token that still uses the old GitHub authentication format.

Reset that token and replace it by a token in the new GitHub authentication format for better security.

Notices from GitHub:

We noticed that an application, FOLIO Rancher, owned by an organization you are an admin of, folio-org, used a token with an outdated format to access the GitHub API on August 20th, 2021 at 00:00 (UTC), with a user-agent header of Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36).

In order to provide additional security benefits to all our customers, we recently updated the format of our API authentication tokens. We encourage you to reset any authentication tokens used by this app, as well as tokens used by any other apps you may have, with our reset token API <https://docs.github.com/en/rest/reference/apps#reset-a-token/> .

Alternatively, you can prompt your users to step through the authorization flow again, as outlined in the docs for either GitHub Apps <https://docs.github.com/en/developers/apps/identifying-and-authorizing-users-for-github-apps>  and OAuth Apps <https://docs.github.com/en/developers/apps/authorizing-oauth-apps> .

To understand more about this change and why it's important, visit https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats.

 

We noticed that an application, FOLIO Rancher, owned by an organization you are an admin of, folio-org, used a token with an outdated format to access the GitHub API on October 20th, 2021 at 00:00 (UTC), with a user-agent header of Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36).

In order to provide additional security benefits to all our customers, we recently updated the format of our API authentication tokens. We encourage you to reset any authentication tokens used by this app, as well as tokens used by any other apps you may have, with our reset token API <https://docs.github.com/en/rest/reference/apps#reset-a-token/> . 

Alternatively, you can prompt your users to step through the authorization flow again, as outlined in the docs for either GitHub Apps <https://docs.github.com/en/developers/apps/identifying-and-authorizing-users-for-github-apps>  and OAuth Apps <https://docs.github.com/en/developers/apps/authorizing-oauth-apps> . 

To understand more about this change and why it's important, visit https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats.

 

We noticed that an application, FOLIO Rancher, owned by an organization you are an admin of, folio-org, used a token with an outdated format to access the GitHub API on November 20th, 2021 at 00:00 (UTC), with a user-agent header of Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36).

In order to provide additional security benefits to all our customers, we recently updated the format of our API authentication tokens. We encourage you to reset any authentication tokens used by this app, as well as tokens used by any other apps you may have, with our reset token API <https://docs.github.com/en/rest/reference/apps#reset-a-token/> .

Alternatively, you can prompt your users to step through the authorization flow again, as outlined in the docs for either GitHub Apps <https://docs.github.com/en/developers/apps/identifying-and-authorizing-users-for-github-apps>  and OAuth Apps <https://docs.github.com/en/developers/apps/authorizing-oauth-apps> .

To understand more about this change and why it's important, visit https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats.

 

We noticed that an application, FOLIO Rancher, owned by an organization you are an admin of, folio-org, used a token with an outdated format to access the GitHub API on December 20th, 2021 at 00:00 (UTC), with a user-agent header of Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36).

In order to provide additional security benefits to all our customers, we recently updated the format of our API authentication tokens. We encourage you to reset any authentication tokens used by this app, as well as tokens used by any other apps you may have, with our reset token API <https://docs.github.com/en/rest/reference/apps#reset-a-token/> .

Alternatively, you can prompt your users to step through the authorization flow again, as outlined in the docs for either GitHub Apps <https://docs.github.com/en/developers/apps/identifying-and-authorizing-users-for-github-apps>  and OAuth Apps <https://docs.github.com/en/developers/apps/authorizing-oauth-apps> .

To understand more about this change and why it's important, visit https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats.

We noticed that an application, FOLIO Rancher, owned by an organization you are an admin of, folio-org, used a token with an outdated format to access the GitHub API on January 20th, 2022 at 00:00 (UTC), with a user-agent header of Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36).

In order to provide additional security benefits to all our customers, we recently updated the format of our API authentication tokens. We encourage you to reset any authentication tokens used by this app, as well as tokens used by any other apps you may have, with our reset token API <https://docs.github.com/en/rest/reference/apps#reset-a-token/> .

Alternatively, you can prompt your users to step through the authorization flow again, as outlined in the docs for either GitHub Apps <https://docs.github.com/en/developers/apps/identifying-and-authorizing-users-for-github-apps> and OAuth Apps <https://docs.github.com/en/developers/apps/authorizing-oauth-apps> .

To understand more about this change and why it's important, visit https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats.

We noticed that an application, FOLIO Rancher, owned by an organization you are an admin of, folio-org, used a token with an outdated format to access the GitHub API on February 20th, 2022 at 00:00 (UTC), with a user-agent header of Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36).

In order to provide additional security benefits to all our customers, we recently updated the format of our API authentication tokens. We encourage you to reset any authentication tokens used by this app, as well as tokens used by any other apps you may have, with our reset token API <https://docs.github.com/en/rest/reference/apps#reset-a-token/> .

Alternatively, you can prompt your users to step through the authorization flow again, as outlined in the docs for either GitHub Apps <https://docs.github.com/en/developers/apps/identifying-and-authorizing-users-for-github-apps> and OAuth Apps <https://docs.github.com/en/developers/apps/authorizing-oauth-apps> .

To understand more about this change and why it's important, visit https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats.

We noticed that an application, FOLIO Rancher, owned by an organization you are an admin of, folio-org, used a token with an outdated format to access the GitHub API on March 20th, 2022 at 00:00 (UTC), with a user-agent header of Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36).

In order to provide additional security benefits to all our customers, we recently updated the format of our API authentication tokens. We encourage you to reset any authentication tokens used by this app, as well as tokens used by any other apps you may have, with our reset token API <https://docs.github.com/en/rest/reference/apps#reset-a-token/> .

Alternatively, you can prompt your users to step through the authorization flow again, as outlined in the docs for either GitHub Apps <https://docs.github.com/en/developers/apps/identifying-and-authorizing-users-for-github-apps> and OAuth Apps <https://docs.github.com/en/developers/apps/authorizing-oauth-apps> .

To understand more about this change and why it's important, visit https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats.

We noticed that an application, FOLIO Rancher, owned by an organization you are an admin of, folio-org, used a token with an outdated format to access the GitHub API on April 20th, 2022 at 00:00 (UTC), with a user-agent header of Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36).

In order to provide additional security benefits to all our customers, we recently updated the format of our API authentication tokens. We encourage you to reset any authentication tokens used by this app, as well as tokens used by any other apps you may have, with our reset token API <https://docs.github.com/en/rest/reference/apps#reset-a-token/> .

Alternatively, you can prompt your users to step through the authorization flow again, as outlined in the docs for either GitHub Apps <https://docs.github.com/en/developers/apps/identifying-and-authorizing-users-for-github-apps> and OAuth Apps <https://docs.github.com/en/developers/apps/authorizing-oauth-apps> .

To understand more about this change and why it's important, visit https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats.

We noticed that an application, FOLIO Rancher, owned by an organization you are an admin of, folio-org, used a token with an outdated format to access the GitHub API on May 20th, 2022 at 00:00 (UTC), with a user-agent header of Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36).

In order to provide additional security benefits to all our customers, we recently updated the format of our API authentication tokens. We encourage you to reset any authentication tokens used by this app, as well as tokens used by any other apps you may have, with our reset token API <https://docs.github.com/en/rest/reference/apps#reset-a-token/> .

Alternatively, you can prompt your users to step through the authorization flow again, as outlined in the docs for either GitHub Apps <https://docs.github.com/en/developers/apps/identifying-and-authorizing-users-for-github-apps> and OAuth Apps <https://docs.github.com/en/developers/apps/authorizing-oauth-apps> .

To understand more about this change and why it's important, visit https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats.

We noticed that an application, FOLIO Rancher, owned by an organization you are an admin of, folio-org, used a token with an outdated format to access the GitHub API on June 20th, 2022 at 00:00 (UTC), with a user-agent header of Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36).

In order to provide additional security benefits to all our customers, we recently updated the format of our API authentication tokens. We encourage you to reset any authentication tokens used by this app, as well as tokens used by any other apps you may have, with our reset token API <https://docs.github.com/en/rest/reference/apps#reset-a-token/> .

Alternatively, you can prompt your users to step through the authorization flow again, as outlined in the docs for either GitHub Apps <https://docs.github.com/en/developers/apps/identifying-and-authorizing-users-for-github-apps> and OAuth Apps <https://docs.github.com/en/developers/apps/authorizing-oauth-apps> .

To understand more about this change and why it's important, visit https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats.

We noticed that an application, FOLIO Rancher, owned by an organization you are an admin of, folio-org, used a token with an outdated format to access the GitHub API on July 20th, 2022 at 00:00 (UTC), with a user-agent header of Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36).

In order to provide additional security benefits to all our customers, we recently updated the format of our API authentication tokens. We encourage you to reset any authentication tokens used by this app, as well as tokens used by any other apps you may have, with our reset token API <https://docs.github.com/en/rest/reference/apps#reset-a-token/> .

Alternatively, you can prompt your users to step through the authorization flow again, as outlined in the docs for either GitHub Apps <https://docs.github.com/en/developers/apps/identifying-and-authorizing-users-for-github-apps> and OAuth Apps <https://docs.github.com/en/developers/apps/authorizing-oauth-apps> .

To understand more about this change and why it's important, visit https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats.



 Comments   
Comment by Craig McNally [ 20/Jan/22 ]

Assigning to Kitfox, as I believe they manage the scratch/rancher envs.  attn. Dilshod_Khusanov 

FYI Jakub Skoczen - it isn't clear if the DevOps team needs to do anything here, or if Kitfox can handle it on their own.

Comment by John Malconian [ 25/Feb/22 ]

This is the client key owned by the FOLIO Rancher OAUTH app which is managed in the top-level github.com/folio-org settings. The key was used on a per project basis in Rancher to configure access to all FOLIO repos (github.com/folio-org) for use in Rancher Pipelines. It doesn't appear that most Rancher projects even have this configured. If we are no longer supporting or using Rancher pipelines, we can revoke the existing key and not generate a new one. The client id associated with this key is: 8fd55ccf70c14f6f530e.

Let me know what you want to do.

Comment by John Malconian [ 25/Feb/22 ]

Example where this is configured: https://rancher.dev.folio.org/p/c-479xv:p-8gnfv/pipeline

Comment by Vasili Kapylou (Inactive) [ 28/Feb/22 ]

John Malconian  So, we have two things. The first one it's Rancher authentication that uses the GitHub token and the second one it's Rancher Pipelines that you described. As I know, we don't use the Rancher Pipelines at all (especially for my team), but for Rancher authentication, we use the same GitHub token I think.

Comment by John Malconian [ 28/Feb/22 ]

Ahh. Ok. Thanks, Former user. I'll verify that and update the token for Rancher authentication and make the change in Rancher if that is the case.

Comment by John Malconian [ 28/Feb/22 ]

Vasili Kapylou I've generated a new github OAUTH token and reconfigured Rancher authentication to use the new token. You can close this issue unless you notice any problems.

Comment by Vasili Kapylou (Inactive) [ 01/Mar/22 ]

Everything is working fine. Thank you John Malconian

Comment by Julian Ladisch [ 22/Mar/22 ]

Reopening because GitHub reports that the token with an outdated format is still in use, see Jira description.

Comment by Julian Ladisch [ 20/Apr/22 ]

GitHub reports that the outdated token format is still in use.

Comment by John Malconian [ 23/Aug/22 ]

The new token (client ID and client secret) is stored in AWS Secrets Manager (us-east-1). The secret name is called 'folio-rancher-ci-oauth'. The old token has a client ID of 8fd55ccf70c14f6f530e and a client secret that ends in 'aefb405d'. Hopefully that will help find the old token in Rancher.

Comment by Julian Ladisch [ 23/Aug/22 ]

GitHub did NOT repeat the notice on August 20th, 2022. It seems that the issue has been resolved. Thanks!

Comment by kseniia_dubniak [ 25/Aug/22 ]

If it`s happened again need to assign the task to a person who has admin rights in GitHub and is able to work with OAuth Apps.

Need to check token https://docs.github.com/en/rest/apps/oauth-applications#check-a-token

And if it is not suitable for GitHub token try to reset it https://docs.github.com/en/rest/apps/oauth-applications#reset-a-token

Generated at Thu Feb 08 23:26:43 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.