Skip to content

Add bearer_auth config toggle for Authorization scheme#13400

Open
williammartin wants to merge 1 commit into
trunkfrom
wm-uber-auth-schema
Open

Add bearer_auth config toggle for Authorization scheme#13400
williammartin wants to merge 1 commit into
trunkfrom
wm-uber-auth-schema

Conversation

@williammartin
Copy link
Copy Markdown
Member

@williammartin williammartin commented May 12, 2026
edited
Loading

Summary

Adds a bearer_auth config setting and GH_BEARER_AUTH environment variable to control the Authorization header scheme used in HTTP requests.

When enabled, Authorization: token <TOKEN> becomes Authorization: Bearer <TOKEN>.

Motivation

Resolves #11727

Enterprise proxy setups (e.g. Envoy/Nginx) may only accept standard Authorization: Bearer or Authorization: Basic schemes, rejecting the GitHub-specific Authorization: token scheme. This blocks the ability to use gh CLI and extensions behind such proxies.

Changes

  • New config key bearer_auth (enabled/disabled, default disabled, per-host configurable)
  • New env var GH_BEARER_AUTH (global override)
  • Updated AddAuthTokenHeader to use Bearer scheme when enabled
  • Threaded bearer auth through all auth flows: login (including --with-token), refresh, status, and OAuth verification
  • Comprehensive tests for config, env var, and HTTP header behavior

Usage

# Set per-host
gh config set --host ghes.company.com bearer_auth enabled

# Or globally via env var
export GH_BEARER_AUTH=1

Companion PR

The corresponding go-gh changes for extension support: cli/go-gh#222

@williammartin williammartin mentioned this pull request May 12, 2026
Open
@williammartin williammartin force-pushed the wm-uber-auth-schema branch 3 times, most recently from 94637de to 340416f Compare May 12, 2026 12:13
@williammartin
Add bearer_auth config toggle
937d129 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@williammartin williammartin force-pushed the wm-uber-auth-schema branch from 340416f to 937d129 Compare May 12, 2026 12:17
@williammartin williammartin marked this pull request as ready for review May 12, 2026 12:35
@williammartin williammartin requested a review from a team as a code owner May 12, 2026 12:35
@williammartin williammartin requested review from BagToad and Copilot May 12, 2026 12:35
Copilot AI reviewed May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new configuration toggle (bearer_auth) and env var (GH_BEARER_AUTH) to control whether gh uses Authorization: token … (default) or Authorization: Bearer … when attaching auth tokens to HTTP requests, including during login/refresh/status flows.

Changes:

  • Introduces bearer_auth config option (per-host) and AuthConfig.BearerAuth(host) resolution (env var override + config lookup).
  • Updates auth-related HTTP requests and transports to emit Bearer when enabled, and threads the toggle through login, refresh, status, and OAuth viewer verification.
  • Expands tests to cover config/env resolution and Authorization header behavior.
Show a summary per file
File Description
pkg/cmd/config/list/list_test.go Updates config listing expectations to include bearer_auth.
pkg/cmd/auth/status/status.go Threads bearer-auth setting into scope lookup during gh auth status.
pkg/cmd/auth/shared/oauth_scopes.go Updates scope-check requests to use the configured Authorization scheme.
pkg/cmd/auth/shared/oauth_scopes_test.go Adds coverage asserting Bearer Authorization header behavior.
pkg/cmd/auth/shared/login_flow.go Threads bearer-auth through login flow and centralizes header formatting in helper.
pkg/cmd/auth/refresh/refresh.go Threads bearer-auth through refresh flow and scope discovery.
pkg/cmd/auth/refresh/refresh_test.go Updates refresh tests for new AuthFlow signature.
pkg/cmd/auth/login/login.go Uses bearer-auth setting when validating token and fetching current login.
pkg/cmd/api/api_test.go Switches some tests to use isolated test config instead of a ConfigMock.
internal/gh/mock/config.go Extends generated ConfigMock with BearerAuth support (but needs import formatting fix).
internal/gh/gh.go Extends gh.Config and gh.AuthConfig interfaces to support bearer-auth.
internal/config/stub.go Ensures config stub forwards BearerAuth lookups.
internal/config/config.go Adds bearer_auth config plumbing, defaults, and env/config resolution in AuthConfig.
internal/config/auth_config_test.go Adds tests for AuthConfig.BearerAuth behavior (default/global/host/env).
internal/authflow/flow.go Threads bearer-auth into OAuth viewer lookup used after OAuth flow.
internal/authflow/flow_test.go Adds test asserting Bearer Authorization header in OAuth viewer lookup.
api/http_client.go Updates AddAuthTokenHeader to select token vs Bearer per host.
api/http_client_test.go Adds coverage for Bearer Authorization header in HTTP client transport.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Files not reviewed (1)
  • internal/gh/mock/config.go: Language not supported
  • Files reviewed: 17/18 changed files
  • Comments generated: 1

Comment thread internal/gh/mock/config.go
Comment on lines 7 to +9
"github.com/cli/cli/v2/internal/gh"
o "github.com/cli/cli/v2/pkg/option"
"sync"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@BagToad BagToad Awaiting requested review from BagToad BagToad is a code owner automatically assigned from cli/code-reviewers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support Authorization: Bearer scheme for internal api calls

2 participants

@williammartin