Summary

If you have not setup or updated your DVCS connection from Jira to Github since 05 Apr 2021 , then there's a chance that the tokens used by Jira to access the repository are in an outdated format.

Although they will work, they are being deprecated by GitHub and you will be notified via email by Github that you should update the token utilized to be the modern-formatted token.

The NEW token formats have a "gho_" prefix for Oauth based connections and additional information about this change is available here.

Environment

Any Jira environment that had DVCS links to Github created prior to 05 Apr 2021 

Diagnosis

•  The Jira Administrator or Repository Owner will receive an email from Github indicating that the repository has been accessed with an outdated token.

  We noticed that an application, <Application>, owned by an organization
  you are an admin of, <Organization>, used a token with an outdated
  format to access the GitHub API on <Date>
  
  In order to provide additional security benefits to all our customers, we
  recently updated the format of our API authentication tokens. We encourage
  you to reset any authentication tokens used by this app, as well as tokens
  used by any other apps you may have, with our reset token API (https://docs.github.com/en/rest/reference/apps#reset-a-token).
  
  Alternatively, you can prompt your users to step through the authorization
  flow again, as outlined in the docs for either GitHub App
  (https://docs.github.com/en/developers/apps/identifying-and-authorizing-users-for-github-apps)
  and OAuth Apps (https://docs.github.com/en/developers/apps/authorizing-oauth-apps).
  
  To understand more about this change and why it's important, visit: https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats
  
  Thanks,
  The GitHub Team

• Your DBA can confirm the Token Used with the following Query:

  select "NAME"
       ,"ID"
       , "DVCS_TYPE"
       ,"HOST_URL"
       ,"LAST_POLLED"
       ,"OAUTH_KEY"
       ,"OAUTH_SECRET"
       ,"ACCESS_TOKEN"
       ,"STATUS"
       ,"TOKEN_ID"
  FROM "AO_E8B6CC_ORGANIZATION_MAPPING";

Cause

Tokens generated prior to 05 Apr 2021  could be using an outdated formatted token. These are tokens that do not contain the correct prefix in the token value.

Solution

Regenerate the Oauth Token used by Jira, for each repository.

1. In Jira:
   1. Login to Jira as an Administrator
   2. Click on Settings → Applications → DVCS Accounts
   3. Click to Edit your Github DVCS account
   4. Click "Reset OAuth Settings"
   5. Copy the Current Key
2. In Github:
   1. Login to Github as the User who configured the DVCS GitHub Account
   2. Click On Settings → Developer Settings → Oauth Apps
   3. Find the corresponding Key from the OAuth App
   4. Generate a New Secret for that Key
3. Back in Jira → DVCS Accounts
   1. Click Edit
   2. Type in the Key and Secret from Github
   3. Click on "Regenerate Access Token"

As the Oauth Key has now been regenerated, Jira will perform a Full Sync against the repository. You can confirm that this is occurring by reviewing the application-jira.log file for lines such as:

INFO <admin> /secure/admin/RegenerateGithubOauthToken!finish.jspa [c.a.j.p.dvcs.service.RepositorySyncServiceImpl] Fetching all remote repositories for organization [<organization name>] took 0s
INFO <admin> /secure/admin/RegenerateGithubOauthToken!finish.jspa [c.a.j.p.d.sync.impl.DefaultSynchronizer] Finished processing sync queue for 'application_log_parser' and took 0s
INFO <admin> /secure/admin/RegenerateGithubOauthToken!finish.jspa [c.a.j.p.d.sync.impl.DefaultSynchronizer] Finished processing sync queue for '<repository name>' and took 0s
INFO <admin> /secure/admin/RegenerateGithubOauthToken!finish.jspa [c.a.j.p.dvcs.service.RepositorySyncServiceImpl] Syncing repositories for organization [<organization name>] took 1s