Summary

A DVCS GitHub Enterprise repository synchronization might fail with the error "Invalid credentials, please reset OAuth settings" for a number of reasons.

Diagnosis

In the atlassian-jira.log we can observe the error Bad credentials (401), as in the example:

2020-09-09 18:54:55,761 http-nio-x.x.x.x-8081-exec-80 url:/rest/bitbucket...epository/12/sync INFO anonymous 1134x10999251x11 kjlbkc x.x.x.x,x.x.x.x /rest/bitbucket/1.0/repository/12/sync [c.a.j.p.d.r.external.v1.RepositoryResource] Postcommit hook started synchronization for repository [12].
2020-09-09 18:54:55,848 http-nio-x.x.x.x-8081-exec-80 url:/rest/bitbucket...epository/12/sync INFO anonymous 1134x10999251x11 kjlbkc x.x.x.x,x.x.x.x /rest/bitbucket/1.0/repository/12/sync [c.a.j.p.d.spi.github.GithubCommunicator] Can not obtain branches list from repository [ MyREPO ] org.eclipse.egit.github.core.client.RequestException: Bad credentials (401)
 at org.eclipse.egit.github.core.client.GitHubClient.createException(GitHubClient.java:552)
 at org.eclipse.egit.github.core.client.GitHubClient.get(GitHubClient.java:740)
 at org.eclipse.egit.github.core.client.PageIterator.next(PageIterator.java:173)
 at org.eclipse.egit.github.core.service.GitHubService.getAll(GitHubService.java:151)
 at org.eclipse.egit.github.core.service.GitHubService.getAll(GitHubService.java:135)
 at org.eclipse.egit.github.core.service.RepositoryService.getBranches(RepositoryService.java:785)
 at com.atlassian.jira.plugins.dvcs.spi.github.GithubCommunicator.getBranches(GithubCommunicator.java:515)
 at com.atlassian.jira.plugins.dvcs.spi.github.GithubCommunicator.startSynchronisation(GithubCommunicator.java:604)
 at com.atlassian.jira.plugins.dvcs.service.remote.CachingCommunicator.startSynchronisation(CachingCommunicator.java:98)
 at com.atlassian.jira.plugins.dvcs.sync.impl.DefaultSynchronizer.doSync(DefaultSynchronizer.java:173)
 at com.atlassian.jira.plugins.dvcs.service.RepositorySyncServiceImpl.doSync(RepositorySyncServiceImpl.java:440)

Cause

Root cause 1: Lack of permissions

If the account used doesn't have access to a repository, we'll face an invalid credentials error. Grant access to the GitHub account should fix the problem

Root cause 2: OAuth token revoked

You will face this error if, for any reason, the token is revoked. Please reset the OAuth Settings in order to regenerate access token:

1. Click on the ellipsis (...) icon and select the Reset OAuth Settings option
   
   
2. Click on Edit
3. Enter the Key and Secret and click on Regenerate Access Token
   
   

Root cause 3: More than 10 organizations

If you have more than 10 organizations for the same account in GitHub Enterprise, you might experience the following symptoms:

• "Invalid credentials" errors
• Reset the OAuth settings
• The sync runs successfully but after some hours, the error happens again
• There is a limit of ten tokens that are issued per user/application/scope combination, and a rate limit of ten tokens created per hour. If an application creates more than ten tokens for the same user and the same scopes, the oldest tokens with the same user/application/scope combination are revoked.

In this case, you must set up the OAuth App via the Organization and not via the Service Account. To do this, the Service Account needs to have Owner access to the Organization being linked.

References:

• https://docs.github.com/en/free-pro-team@latest/github/setting-up-and-managing-organizations-and-teams/permission-levels-for-an-organization
• https://docs.github.com/en/free-pro-team@latest/developers/apps/troubleshooting-oauth-app-access-token-request-errors
• https://docs.github.com/en/enterprise-server@3.12/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps

Root cause 4: Usage of GitHub app to establish connection instead of OAuth App

As per the current application design, we expect that connection will be established with the help of the OAuth app rather than the GitHub app (Differences between GitHub Apps and OAuth apps). Although using the GitHub app gives a lot more granularity in the permission levels on GitHub compared to the OAuth app, making it a better candidate for large instances. However, at the current moment, the Jira DVCS plugin doesn't fully support the usage of the GitHub app for the integration.

Technically, you can establish a connection between Jira and GitHub using such a configuration. However, we would not be able to automatically refresh OAuth tokens, and intergrading will start to fail after 8 hours (this explains why it might initially work in your case but start to fail after some time). Please refer to the below feature request for extra details:

• JSWSERVER-21676 - Introduce auth token refresh for github user tokens (ghu_) for DVCS integration Gathering Interest

We have a feature request to add full support of GitHub app into a product:

• JSWSERVER-20814 - Support of Github Apps in DVCS instead of user based OAuth Gathering Interest

In the meantime, please make sure that the connection is established using the OAuth app, following the steps in the "Linking GitHub accounts" user guide.