Closed nating closed 7 years ago
shiftkey
commented
7 years ago Unfortunately not.
The docs for doing OAuth without the web flow involves signing in with basic authentication and creating an authorization on behalf of the user. But that still requires their input.
Alternatively, if the user can provide a personal access token you can use that for credentials and get a higher rate limit - however it's not associated with your application.
nating
commented
7 years ago Thanks for getting back Brendan. That's unfortunate.
We are building a chatbot to interact with GitHub and were hoping it could scale to more than 60 queries per hour. Do you think creating a personal access key to be associated with the application so that it can have its higher rate limit would be a good idea?
shiftkey
commented
7 years ago Do you think creating a personal access key to be associated with the application so that it can have its higher rate limit would be a good idea?
The OAuth token represents the relationship between a user and an application - that doesn't feel relevant here as it sounds like you don't need to have everyone authenticate against the application. Personal access tokens are great for testing and prototyping, but they are tied to a real account - combining whatever the real account has access to with the scopes you give the token.
So there's a concept called "machine accounts" which I'll point out here. From the Terms of Services page:
A machine account is an account set up by an individual human who accepts the Terms on behalf of the account, provides a valid email address, and is responsible for its actions. A machine account is used exclusively for performing automated tasks. Multiple users may direct the actions of a machine account, but the owner of the account is ultimately responsible for the machine's actions. You may maintain no more than one free machine account in addition to your free personal account.
What I'd do to simplify things without having to worry about OAuth:
GitHubClient.Credentials whenever your chatbot needs to interact with the GitHub APIIt avoids the whole OAuth application setup and management, but it doesn't sound like something you need here.
hnrkndrssn
commented
7 years ago create a machine account, add it as a member of your organization and give it access to the appropriate teams and repositories it needs to get stuff done
This is what we've done with our slack bot for releasing Octopus and it works well! 😄
ryangribble
commented
7 years ago Agree that a "machine account" with a personal access token sounds like the way to handle this. We also have a release/helper bot that uses this approach.
Im going to close out this issue but feel free to comment further or re-open if you need to @nating
nating
commented
7 years ago Thank you all for your help. We set up a machine account for the application and are achieving our higher rate-limit.
Is there a way to authenticate an application so that it can have a higher rate limit, without web-flow? So that the application can just use its clientID & clientSecret to get a higher rate limit without any information about the user?
It seems that the only way to authenticate an app needs 'code' from the callback of the web-flow when a user permits access to the application.