[DOCS]: What OAuth scope is required for `gh copilot`?

[gr2m]

Describe the need

➜  ~ gh copilot suggest "Receive webhooks locally"     

✗ Error: No valid OAuth token detected

I use a local GITHUB_TOKEN environment variable instead of gh's own credential. What OAuth scope is necessary? Ideally I'd add that information to both the README and the error message

Version

gh --version
gh version 2.38.0 (2023-11-01)
https://github.com/cli/cli/releases/tag/v2.38.0

I installed the extension just now

Relevant terminal output

➜  ~ gh extension install github/gh-copilot --force
✓ Installed extension github/gh-copilot
➜  ~ gh copilot suggest "Receive webhooks locally"     

✗ Error: No valid OAuth token detected

To get started with GitHub Copilot in the CLI, please run: gh auth login --web -h github.com to authenticate via web browser.

➜  ~ gh auth login --web -h github.com
The value of the GITHUB_TOKEN environment variable is being used for authentication.
To have GitHub CLI store credentials instead, first clear the value from the environment.
➜  ~ gh --version
gh version 2.38.0 (2023-11-01)
https://github.com/cli/cli/releases/tag/v2.38.0

[andyfeller]

Thanks for creating our first issue, @gr2m! 🎉

➜  ~ gh auth login --web -h github.com
The value of the GITHUB_TOKEN environment variable is being used for authentication.
To have GitHub CLI store credentials instead, first clear the value from the environment.

Since you're overriding the GITHUB_TOKEN, could you confirm that is a OAuth token (`gho...`)_ or try clearing the environment variable out?

GitHub Copilot in the CLI currently works with OAuth tokens, but we have plans to support PATs in the near term. For now, using a PAT will trigger this error message.

Lastly, there is no new scope for OAuth tokens to work with GitHub Copilot or atleast with GitHub Copilot in the CLI.

[gr2m]

Thanks for creating our first issue, @gr2m! 🎉

🫡

Since you're overriding the GITHUB_TOKEN, could you confirm that is a OAuth token (`gho...`)_ or try clearing the environment variable out?

I think it's a classic personal access token ghp_..., which is an OAuth token under the hood right?

curl -H"Authorization: token $GITHUB_TOKEN" https://api.github.com/user -I
HTTP/2 200 
# ...
x-oauth-scopes: notifications, project, repo, workflow, write:org

[andyfeller]

I think it's a classic personal access token ghp_..., which is an OAuth token under the hood right?

😬 so we might need to improve the messaging here because you need to authenticate via the OAuth app in the web browser, not using a PAT. 🤔

$ gh auth login
? What account do you want to log into? GitHub.com
? What is your preferred protocol for Git operations? HTTPS
? How would you like to authenticate GitHub CLI? Login with a web browser

! First copy your one-time code: X#X#-X#X#
Press Enter to open github.com in your browser...

[gabynevada]

Getting this error when trying to use copilot cli in a codespace. The GITHUB_TOKEN is already set so I have to remove it to perform the login again and then it works.

@user ➜ /workspaces/project (main) $ ?? this is a test

✗ Error: No valid OAuth token detected

To get started with GitHub Copilot in the CLI, please run: gh auth login --web -h github.com to authenticate via web browser.

@user ➜ /workspaces/project(main) $ gh auth login --web -h github.com
The value of the GITHUB_TOKEN environment variable is being used for authentication.
To have GitHub CLI store credentials instead, first clear the value from the environment.

[andyfeller]

Getting this error when trying to use copilot cli in a codespace. The GITHUB_TOKEN is already set so I have to remove it to perform the login again and then it works.

@user ➜ /workspaces/project (main) $ ?? this is a test

✗ Error: No valid OAuth token detected

To get started with GitHub Copilot in the CLI, please run: gh auth login --web -h github.com to authenticate via web browser.

@user ➜ /workspaces/project(main) $ gh auth login --web -h github.com
The value of the GITHUB_TOKEN environment variable is being used for authentication.
To have GitHub CLI store credentials instead, first clear the value from the environment.

Thank you for adding to this issue, @gabynevada! This is absolutely a limitation with the current way GitHub Codespaces provides an automatic token when a codespace is created.

As mentioned in "Troubleshooting authentication to a repository", this token is not a standard personal access token (PAT) or a token from authenticating GitHub or OAuth app but a user-to-server token (`ghu...`)_.

Internally, discussions on how to extend Copilot integration support to PATs has been under discussion. I will make sure to bring up this aspect of leveraging with Codespaces ❤

[WarmongeringBeaver]

Is there any way currently to obtain a valid OAuth token without opening a web browser? In a headless environment this is quite cumbersome.

[pentago]

Also interested..

[gr2m]

Is there any way currently to obtain a valid OAuth token without opening a web browser? In a headless environment this is quite cumbersome.

Yes, kind of, using the device flow: https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#device-flow

I think it's off topic for this question though, best to ask in https://github.com/orgs/community/discussions/categories/api-and-webhooks, feel free to ping me in there

[LukeHendrick]

I use 1Password to store my PAT, which has its own plugin for gh.

Just wanted to throw out another use case where OAuth is cumbersome

[bd82]

Hello @andyfeller

My specific question is not about the CLI but it seems very related to the topic and I'm hoping you can assist.

You wrote:

Lastly, there is no new scope for OAuth tokens to work with GitHub Copilot or atleast with GitHub Copilot in the CLI.

Question

Does this mean that the copilot access does not go through any scope? That it is instead the approval for a specific client_id of the oAuth app which provides the authorization for copilot?

Is there a way to get a custom oAuth app to be able to approve github copilot in the device flow?

• https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#device-flow
• It seems to have been done for the github copilot Plugin for JetBrains products.

[andyfeller]

Is there a way to get a custom oAuth app to be able to approve github copilot in the device flow?

@bd82 : No, not currently. 😞

I have hopes given work around improving rate limit handling with the GitHub Copilot platform that this might change in the future. For now, GitHub Copilot in the CLI is only accessible via the GitHub CLI OAuth app.

[bd82]

Thanks for the information @andyfeller

[diminutivesloop]

My team is currently using PATs for installing npm packages from GitHub packages. Having to clear out that token from my environment every time I want to use this plugin isn't practical.

[andyfeller]

My team is currently using PATs for installing npm packages from GitHub packages. Having to clear out that token from my environment every time I want to use this plugin isn't practical.

@diminutivesloop : Could you share more about how your team is using gh for installing npm packages?

I know some GitHub APIs don't support GitHub or OAuth tokens, which might be why your team needs a PAT working with npm. However the GitHub CLI doesn't have any npm or GitHub packages support, so I assume your team is reusing gh as a generic token storage and integration tool.

[diminutivesloop]

@andyfeller We're not using gh directly, but in our projects we have our .npmrc configured as follows to authenticate against https://npm.pkg.github.com/ for private-scoped packages:

//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}

[chris4prez]

I use 1Password to store my PAT, which has its own plugin for gh.

Just wanted to throw out another use case where OAuth is cumbersome

Running into the same issue here and want to continue to use my 1password saved PAT as it's too handy to auth with biometrics and not looking to remove this workflow. Hopefully PAT are on the roadmap to become an acceptable solution soon.... Looks like it was mentioned almost a year ago on the roadmap but still not available.