[DOCS]: What OAuth scope is required for gh copilot?

[gr2m]

Describe the need

➜  ~ gh copilot suggest "Receive webhooks locally"     

✗ Error: No valid OAuth token detected

I use a local GITHUB_TOKEN environment variable instead of gh's own credential. What OAuth scope is necessary? Ideally I'd add that information to both the README and the error message

Version

gh --version
gh version 2.38.0 (2023-11-01)
https://github.com/cli/cli/releases/tag/v2.38.0

I installed the extension just now

Relevant terminal output

➜  ~ gh extension install github/gh-copilot --force
✓ Installed extension github/gh-copilot
➜  ~ gh copilot suggest "Receive webhooks locally"     

✗ Error: No valid OAuth token detected

To get started with GitHub Copilot in the CLI, please run: gh auth login --web -h github.com to authenticate via web browser.

➜  ~ gh auth login --web -h github.com
The value of the GITHUB_TOKEN environment variable is being used for authentication.
To have GitHub CLI store credentials instead, first clear the value from the environment.
➜  ~ gh --version
gh version 2.38.0 (2023-11-01)
https://github.com/cli/cli/releases/tag/v2.38.0

[andyfeller]

Thanks for creating our first issue, @gr2m! 🎉

➜  ~ gh auth login --web -h github.com
The value of the GITHUB_TOKEN environment variable is being used for authentication.
To have GitHub CLI store credentials instead, first clear the value from the environment.

Since you're overriding the GITHUB_TOKEN, could you confirm that is a OAuth token (gho_...) or try clearing the environment variable out?

GitHub Copilot in the CLI currently works with OAuth tokens, but we have plans to support PATs in the near term. For now, using a PAT will trigger this error message.

Lastly, there is no new scope for OAuth tokens to work with GitHub Copilot or atleast with GitHub Copilot in the CLI.

[gr2m]

Thanks for creating our first issue, @gr2m! 🎉

🫡

Since you're overriding the GITHUB_TOKEN, could you confirm that is a OAuth token (gho_...) or try clearing the environment variable out?

I think it's a classic personal access token ghp_..., which is an OAuth token under the hood right?

curl -H"Authorization: token $GITHUB_TOKEN" https://github.com/api/user -I
HTTP/2 200 
# ...
x-oauth-scopes: notifications, project, repo, workflow, write:org

[andyfeller]

I think it's a classic personal access token ghp_..., which is an OAuth token under the hood right?

😬 so we might need to improve the messaging here because you need to authenticate via the OAuth app in the web browser, not using a PAT. 🤔

$ gh auth login
? What account do you want to log into? GitHub.com
? What is your preferred protocol for Git operations? HTTPS
? How would you like to authenticate GitHub CLI? Login with a web browser

! First copy your one-time code: X#X#-X#X#
Press Enter to open github.com in your browser...

[gabynevada]

Getting this error when trying to use copilot cli in a codespace. The GITHUB_TOKEN is already set so I have to remove it to perform the login again and then it works.

@user ➜ /workspaces/project (main) $ ?? this is a test

✗ Error: No valid OAuth token detected

To get started with GitHub Copilot in the CLI, please run: gh auth login --web -h github.com to authenticate via web browser.

@user ➜ /workspaces/project(main) $ gh auth login --web -h github.com
The value of the GITHUB_TOKEN environment variable is being used for authentication.
To have GitHub CLI store credentials instead, first clear the value from the environment.

[andyfeller]

Getting this error when trying to use copilot cli in a codespace. The GITHUB_TOKEN is already set so I have to remove it to perform the login again and then it works.

@user ➜ /workspaces/project (main) $ ?? this is a test

✗ Error: No valid OAuth token detected

To get started with GitHub Copilot in the CLI, please run: gh auth login --web -h github.com to authenticate via web browser.

@user ➜ /workspaces/project(main) $ gh auth login --web -h github.com
The value of the GITHUB_TOKEN environment variable is being used for authentication.
To have GitHub CLI store credentials instead, first clear the value from the environment.

Thank you for adding to this issue, @gabynevada! This is absolutely a limitation with the current way GitHub Codespaces provides an automatic token when a codespace is created.

As mentioned in "Troubleshooting authentication to a repository", this token is not a standard personal access token (PAT) or a token from authenticating GitHub or OAuth app but a user-to-server token (ghu_...).

Internally, discussions on how to extend Copilot integration support to PATs has been under discussion. I will make sure to bring up this aspect of leveraging with Codespaces ❤

[thethomasboyer]

Is there any way currently to obtain a valid OAuth token without opening a web browser? In a headless environment this is quite cumbersome.

[pentago]

Also interested..

[gr2m]

Is there any way currently to obtain a valid OAuth token without opening a web browser? In a headless environment this is quite cumbersome.

Yes, kind of, using the device flow:
https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#device-flow

I think it's off topic for this question though, best to ask in https://github.com/orgs/community/discussions/categories/api-and-webhooks, feel free to ping me in there

[LukeHendrick]

I use 1Password to store my PAT, which has its own plugin for gh.

Just wanted to throw out another use case where OAuth is cumbersome

[bd82]

Hello @andyfeller

My specific question is not about the CLI but it seems very related to the topic and I'm hoping you can assist.

You wrote:

Lastly, there is no new scope for OAuth tokens to work with GitHub Copilot or atleast with GitHub Copilot in the CLI.

Question

Does this mean that the copilot access does not go through any scope?
That it is instead the approval for a specific client_id of the oAuth app which provides the authorization for copilot?

Is there a way to get a custom oAuth app to be able to approve github copilot in the device flow?

• https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#device-flow
• It seems to have been done for the github copilot Plugin for JetBrains products.

[andyfeller]

Is there a way to get a custom oAuth app to be able to approve github copilot in the device flow?

@bd82 : No, not currently. 😞

I have hopes given work around improving rate limit handling with the GitHub Copilot platform that this might change in the future. For now, GitHub Copilot in the CLI is only accessible via the GitHub CLI OAuth app.

[bd82]

Thanks for the information @andyfeller

[diminutivesloop]

My team is currently using PATs for installing npm packages from GitHub packages. Having to clear out that token from my environment every time I want to use this plugin isn't practical.

[andyfeller]

My team is currently using PATs for installing npm packages from GitHub packages. Having to clear out that token from my environment every time I want to use this plugin isn't practical.

@diminutivesloop : Could you share more about how your team is using gh for installing npm packages?

I know some GitHub APIs don't support GitHub or OAuth tokens, which might be why your team needs a PAT working with npm. However the GitHub CLI doesn't have any npm or GitHub packages support, so I assume your team is reusing gh as a generic token storage and integration tool.

[diminutivesloop]

@andyfeller We're not using gh directly, but in our projects we have our .npmrc configured as follows to authenticate against https://npm.pkg.github.com/ for private-scoped packages:

//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}

[chris4prez]

I use 1Password to store my PAT, which has its own plugin for gh.

Just wanted to throw out another use case where OAuth is cumbersome

Running into the same issue here and want to continue to use my 1password saved PAT as it's too handy to auth with biometrics and not looking to remove this workflow. Hopefully PAT are on the roadmap to become an acceptable solution soon.... Looks like it was mentioned almost a year ago on the roadmap but still not available.

[jtabox]

For now, GitHub Copilot in the CLI is only accessible via the GitHub CLI OAuth app.

Maybe I'm wrong, but I feel like this should be mentioned somewhere more central than in the nth reply in a 1-year old issue. It's quite an important thing to know before deciding to use CLI-Copilot, especially since the only solution seems to be "stop using $GITHUB_TOKEN altogether", even though it's supported by the rest of GitHub CLI and it's essentially the one of the two available ways recommended for authentication.

Not trying to be a Negative Nancy, it's just weird that such a limiting factor isn't mentioned anywhere else in the repo that would be more visible. Besides the the main README, there's multiple spots in the GitHub Copilot in the CLI documentation where this could be mentioned.

[andyfeller]

For now, GitHub Copilot in the CLI is only accessible via the GitHub CLI OAuth app.

Maybe I'm wrong, but I feel like this should be mentioned somewhere more central than in the nth reply in a 1-year old issue. It's quite an important thing to know before deciding to use CLI-Copilot, especially since the only solution seems to be "stop using $GITHUB_TOKEN altogether", even though it's supported by the rest of GitHub CLI and it's essentially the one of the two available ways recommended for authentication.

@jtabox : What would you recommend beyond the following in the quickstart doc section of the repo docs?

gh-copilot/README.md

Lines 16 to 19 in ce71f26

	1. Authenticate with GitHub CLI OAuth app
	```shell
	gh auth login --web -h github.com
	```

[jtabox]

For now, GitHub Copilot in the CLI is only accessible via the GitHub CLI OAuth app.

Maybe I'm wrong, but I feel like this should be mentioned somewhere more central than in the nth reply in a 1-year old issue. It's quite an important thing to know before deciding to use CLI-Copilot, especially since the only solution seems to be "stop using $GITHUB_TOKEN altogether", even though it's supported by the rest of GitHub CLI and it's essentially the one of the two available ways recommended for authentication.

@jtabox : What would you recommend beyond the following in the quickstart doc section of the repo docs?

gh-copilot/README.md

Lines 16 to 19 in ce71f26

	1. Authenticate with GitHub CLI OAuth app
	```shell
	gh auth login --web -h github.com
	```

I can think of 3 possible places:

1. Maybe a sentence in the note above the snippet you linked, e.g.:

Note

To use and install GitHub Copilot in the CLI, you must have an active GitHub Copilot subscription and have GitHub CLI installed.
Also please note that GitHub Copilot in the CLI is currently available only if you use OAuth to authenticate in GitHub CLI and not the GITHUB_TOKEN environment variable.

2. Potentially in the GitHub CLI manual's landing page, in Configuration:

Configuration

Run gh auth login to authenticate with your GitHub account. Alternatively, gh will respect the GITHUB_TOKEN environment variable, but this way of authentication will currently prevent you from using GitHub Copilot in the CLI.

3. And finally maybe somewhere in the Copilot's Troubleshooting page:

Error: "No valid OAuth token detected" even though GitHub CLI is correctly authenticated via the GITHUB_TOKEN environment variable

Currently, using the GITHUB_TOKEN environment variable to authenticate in GitHub CLI will prevent you from using GitHub Copilot in the CLI, as it requires authentication via OAuth. Remove the GITHUB_TOKEN environment variable and use gh auth login to authenticate in GitHub CLI. For more details read here.

At least those were the places I looked in when trying to figure out why I got the error message :D

[andyfeller]

Thanks for taking the time to soundboard suggestions, @jtabox! 🙇 I think suggestions 1 + 3 make the most sense for GitHub Copilot in the CLI being a separate extension from the core GitHub CLI.

I'm going to follow up internally to cue this up as it requires changes to GitHub Docs as well as this repository. 👍

[jtabox]

Happy to contribute :)

Thanks for taking the time to soundboard suggestions, @jtabox! 🙇 I think suggestions 1 + 3 make the most sense for GitHub Copilot in the CLI being a separate extension from the core GitHub CLI.

I'm going to follow up internally to cue this up as it requires changes to GitHub Docs as well as this repository. 👍

[andyfeller]

Happy to contribute :)

Thanks for taking the time to soundboard suggestions, @jtabox! 🙇 I think suggestions 1 + 3 make the most sense for GitHub Copilot in the CLI being a separate extension from the core GitHub CLI.
I'm going to follow up internally to cue this up as it requires changes to GitHub Docs as well as this repository. 👍

Sadly, these are changes on internal repos, but I appreciate your support 🙇

[jtabox]

Happy to contribute :)

Thanks for taking the time to soundboard suggestions, @jtabox! 🙇 I think suggestions 1 + 3 make the most sense for GitHub Copilot in the CLI being a separate extension from the core GitHub CLI.
I'm going to follow up internally to cue this up as it requires changes to GitHub Docs as well as this repository. 👍

Sadly, these are changes on internal repos, but I appreciate your support 🙇

Yepp, I was a bit unclear in my reply I think. With "contribution" I meant my previous comment itself, with the suggestions. So "Happy to contribute" meant "Happy to have helped", not "I can open a PR with my suggestions if you'd like." 😄 But anyway, won't spam this thread any further 😄 For now I've switched to OAuth for gh and Copilot works fine, hopefully at some point it becomes available with GITHUB_TOKEN too.

[andyfeller]

it becomes available with GITHUB_TOKEN too.

@jtabox : Just to be clear, are you saying

1. GITHUB_TOKEN environment variable doesn't work if you provide it with your GitHub CLI OAuth token at all
2. neither classic or fine-grain PATs are supported

I think you're saying the latter as below demonstrates that GITHUB_TOKEN environment variable should work if it is set to your GitHub CLI OAuth app token:

$ GITHUB_TOKEN=$(gh auth token --hostname github.com) gh copilot explain 'echo "hello world"' 

Welcome to GitHub Copilot in the CLI!
version 1.0.5 (2024-09-12)

I'm powered by AI, so surprises and mistakes are possible. Make sure to verify any generated code or suggestions, and share feedback so that we can learn and improve. For more information, see https://gh.io/gh-copilot-transparency

Explanation:                                                                                                                                                                                                                                                                                              
                                                                                                                                                                                                                                                                                                          
  • echo is used to print text to the terminal.                                                                                                                                                                                                                                                           
    • "hello world" is the text that will be printed.                                                                                                                                                                                                                                                     
                                                                                                                                                                                                                                                                                                          ```

[jtabox]

I'm not sure I understood your question correctly, so my reply might be completely irrelevant, in which case I apologize 😅

My GITHUB_TOKEN variable in Windows contains indeed a classic PAT (I think it's the same situation as many people in this thread, incl. the initial post). I've been using it in various programs that want my GitHub account's "API key".

When I first installed gh, seeing that the instructions mention that gh will use GITHUB_TOKEN if available for authentication, I just kept using the existing GITHUB_TOKEN, which indeed worked fine.

C:\gh auth status

github.com
  ✓ Logged in to github.com account jtabox (GITHUB_TOKEN)
  - Token: ghp_************************************

But then when I tried to run Copilot I'd get an error.

C:\gh copilot explain "format C:"

✗ Error: No valid GitHub CLI OAuth token detected
To get started with GitHub Copilot in the CLI, please run: gh auth login --web -h github.com to authenticate via web browser.

I ran the suggested gh auth login --web ... command and the authentication process succeeded (though not sure how it would go if only the terminal was available). But going back to the command prompt and trying to run Copilot still gave the exact same error as above and suggested the same command, which is a loop I tried 2-3 times before I started suspecting it wouldn't work.

There wasn't any information anywhere that as long as I have a PAT as the GITHUB_TOKEN's value (which had worked fine for gh so far), Copilot won't run, and that I needed to change authentication method altogether and either replace the value of GITHUB_TOKEN with an OAuth token, or completely remove it as environment variable.

If I understood correctly, what you're suggesting is the first alternative? I.e. to swap to OAuth and then change GITHUB_TOKEN's value from a ghp_... token to an OAuth gho_... token every time I want to run Copilot? Since it can't be a permanent change, otherwise other programs that use it won't work. It's a solution, at least for Linux systems, since Windows will require a mini script for setting the variable before each run.

[andyfeller]

Thanks for clarifying, @jtabox! 👍 For clarity, I'm definitely not suggesting that people managing OAuth tokens in the environment variables; simply that it isn't a problem with environment variables as a mechanism but the nature of the token.

Good news: with the repository readme updated and GitHub Docs change being processed, I feel this issue can long be closed.

[rosskevin]

@andyfeller - I'm unclear on the solution. I too need the GITHUB_TOKEN present in the environment to access Github repository packages via npm/yarn.

So, I did the following:

unset GITHUB_TOKEN
gh auth login --web -h github.com
gh auth status                                                                                                                                                                                                                                                                                           ✘ 2 
github.com
  ✓ Logged in to github.com account rosskevin (keyring)
  - Active account: true
  - Git operations protocol: https
  - Token: gho_************************************
  - Token scopes: 'gist', 'read:org', 'repo', 'workflow'

but when opening a new terminal, back to the same error:

✗ Error: No valid GitHub CLI OAuth token detected

So I need to unset GITHUB_TOKEN for every new terminal where I want to use authenticated gh? Or is there a better solution?

[diminutivesloop]

Maybe this needs to be new issue, but gh copilot really should support auth via PAT.

[andyfeller]

Maybe this needs to be new issue, but gh copilot really should support auth via PAT.

Yes, a separate issue for that would be ideal.

That said, please trust when I say it's a topic I've been raising internally since initial extension development. There are some broader Copilot ecosystem architecture discussions involved.

[yermulnik]

I've been trying to figure out how to use GH CLI and Copilot extension with PAT. Eventually I stumbled up this issue and the #98 which seems to be «a separate issue for that would be ideal».
@andyfeller Is that issue something you mean or there's a need to create something separate (in this case please briefly outline what info should be put on it)? Thanks.

[andyfeller]

@yermulnik : created #116 to follow up on this 👍

[yermulnik]

@andyfeller Appreciate it 👍🏻

[jmarcon]

@andyfeller - I'm unclear on the solution. I too need the GITHUB_TOKEN present in the environment to access Github repository packages via npm/yarn.

So, I did the following:

unset GITHUB_TOKEN
gh auth login --web -h github.com
gh auth status ✘ 2
github.com
✓ Logged in to github.com account rosskevin (keyring)

• Active account: true
• Git operations protocol: https
• Token: gho_************************************
• Token scopes: 'gist', 'read:org', 'repo', 'workflow'
  but when opening a new terminal, back to the same error:

✗ Error: No valid GitHub CLI OAuth token detected

So I need to unset GITHUB_TOKEN for every new terminal where I want to use authenticated gh? Or is there a better solution?

What I did to solve my problema was:

• unset GITHUB_TOKEN
• authenticated with 'gh auth login --web -h github.com'
• got the token with 'gh auth token -h githbu.com' (the token will start with "gho_")
• set the GH_TOKEN with this value. (I did put this in my startup script - .zshrc/.bashrc and $PROFILE for PowerShell)
• GH_TOKEN has precedence over GITHUB_TOKEN, so both can be set and the gh cli will use the GH_TOKEN.

Now I can use the cli and keep my GITHUB_TOKEN for use in other scenarios.

[jtabox]

What I did to solve my problema was:

• unset GITHUB_TOKEN
• authenticated with 'gh auth login --web -h github.com'
• got the token with 'gh auth token -h githbu.com' (the token will start with "gho_")
• set the GH_TOKEN with this value. (I did put this in my startup script - .zshrc/.bashrc and $PROFILE for PowerShell)
• GH_TOKEN has precedence over GITHUB_TOKEN, so both can be set and the gh cli will use the GH_TOKEN.

Now I can use the cli and keep my GITHUB_TOKEN for use in other scenarios.

This solution with GH_TOKEN must be something new, because it hasn't been mentioned previously. And it's indeed a great solution, thanks for the tip. Used it just now in my Windows machine and it worked fine, so now there's no need to unset GITHUB_TOKEN whenever I need to run copilot any more.