Error of Invalid input: wwwauth[]=Basic error="invalid_request", error_description="No bearer token found in the request" when fedpkg push

I try to use fedpkg push to fedora src repository, the following errors occured. I do not how to solve this problem.

[ruby@fedora tomlplusplus]$ fedpkg push
Invalid input: wwwauth[]=Basic error="invalid_request", error_description="No bearer token found in the request"

Invalid input: wwwauth[]=Basic error="invalid_request", error_description="No bearer token found in the request"

Username for 'https://src.fedoraproject.org/rpms/tomlplusplus.git': 
Password for 'https://src.fedoraproject.org/rpms/tomlplusplus.git': 
Invalid input: wwwauth[]=Basic error="invalid_request", error_description="No bearer token found in the request"

Invalid input: wwwauth[]=Basic error="invalid_request", error_description="No bearer token found in the request"

fatal: Authentication failed for 'https://src.fedoraproject.org/rpms/tomlplusplus.git/'
Could not execute push: Failed to execute command.

❯ GIT_CURL_VERBOSE=1 GIT_TRACE=1 git push
22:51:03.055125 git.c:462               trace: built-in: git push
22:51:03.055340 run-command.c:661       trace: run_command: GIT_DIR=.git git remote-https origin https://src.fedoraproject.org/rpms/tomlplusplus.git
22:51:03.056336 git.c:748               trace: exec: git-remote-https origin https://src.fedoraproject.org/rpms/tomlplusplus.git
22:51:03.056358 run-command.c:661       trace: run_command: git-remote-https origin https://src.fedoraproject.org/rpms/tomlplusplus.git
22:51:03.060121 http.c:817              == Info: Couldn't find host src.fedoraproject.org in the (nil) file; using defaults
22:51:03.060171 http.c:817              == Info:   Trying 127.0.0.1:7890...
22:51:03.060270 http.c:817              == Info: Connected to 127.0.0.1 (127.0.0.1) port 7890 (#0)
22:51:03.060276 http.c:817              == Info: CONNECT tunnel: HTTP/1.1 negotiated
22:51:03.060281 http.c:817              == Info: allocate connect buffer
22:51:03.060284 http.c:817              == Info: Establish HTTP proxy tunnel to src.fedoraproject.org:443
22:51:03.060322 http.c:764              => Send header, 0000000137 bytes (0x00000089)
22:51:03.060327 http.c:776              => Send header: CONNECT src.fedoraproject.org:443 HTTP/1.1
22:51:03.060330 http.c:776              => Send header: Host: src.fedoraproject.org:443
22:51:03.060332 http.c:776              => Send header: User-Agent: git/2.41.0.rc2
22:51:03.060334 http.c:776              => Send header: Proxy-Connection: Keep-Alive
22:51:03.060335 http.c:776              => Send header:
22:51:03.060454 http.c:764              <= Recv header, 0000000037 bytes (0x00000025)
22:51:03.060471 http.c:776              <= Recv header: HTTP/1.1 200 Connection established
22:51:03.060476 http.c:764              <= Recv header, 0000000002 bytes (0x00000002)
22:51:03.060494 http.c:776              <= Recv header:
22:51:03.060496 http.c:817              == Info: CONNECT phase completed
22:51:03.060499 http.c:817              == Info: CONNECT tunnel established, response 200
22:51:03.061960 http.c:817              == Info: ALPN: offers h2,http/1.1
22:51:03.062144 http.c:817              == Info: TLSv1.3 (OUT), TLS handshake, Client hello (1):
22:51:03.085644 http.c:817              == Info:  CAfile: /etc/pki/tls/certs/ca-bundle.crt
22:51:03.085655 http.c:817              == Info:  CApath: none
22:51:03.801270 http.c:817              == Info: TLSv1.3 (IN), TLS handshake, Server hello (2):
22:51:03.801474 http.c:817              == Info: TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
22:51:03.801494 http.c:817              == Info: TLSv1.3 (IN), TLS handshake, Certificate (11):
22:51:03.803419 http.c:817              == Info: TLSv1.3 (IN), TLS handshake, CERT verify (15):
22:51:03.803543 http.c:817              == Info: TLSv1.3 (IN), TLS handshake, Finished (20):
22:51:03.803576 http.c:817              == Info: TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
22:51:03.803599 http.c:817              == Info: TLSv1.3 (OUT), TLS handshake, Finished (20):
22:51:03.803681 http.c:817              == Info: SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
22:51:03.803686 http.c:817              == Info: ALPN: server accepted h2
22:51:03.803705 http.c:817              == Info: Server certificate:
22:51:03.803714 http.c:817              == Info:  subject: C=US; ST=North Carolina; L=Raleigh; O=Red Hat, Inc.; CN=*.fedoraproject.org
22:51:03.803719 http.c:817              == Info:  start date: Jan 16 00:00:00 2023 GMT
22:51:03.803722 http.c:817              == Info:  expire date: Jan 16 23:59:59 2024 GMT
22:51:03.803729 http.c:817              == Info:  subjectAltName: host "src.fedoraproject.org" matched cert's "*.fedoraproject.org"
22:51:03.803736 http.c:817              == Info:  issuer: C=US; O=DigiCert Inc; CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1
22:51:03.803740 http.c:817              == Info:  SSL certificate verify ok.
22:51:03.803822 http.c:817              == Info: using HTTP/2
22:51:03.803847 http.c:817              == Info: h2 [:method: GET]
22:51:03.803850 http.c:817              == Info: h2 [:scheme: https]
22:51:03.803852 http.c:817              == Info: h2 [:authority: src.fedoraproject.org]
22:51:03.803854 http.c:817              == Info: h2 [:path: /rpms/tomlplusplus.git/info/refs?service=git-receive-pack]
22:51:03.803856 http.c:817              == Info: h2 [user-agent: git/2.41.0.rc2]
22:51:03.803880 http.c:817              == Info: h2 [accept: */*]
22:51:03.803883 http.c:817              == Info: h2 [accept-encoding: deflate, gzip]
22:51:03.803885 http.c:817              == Info: h2 [accept-language: en-US, *;q=0.9]
22:51:03.803888 http.c:817              == Info: h2 [pragma: no-cache]
22:51:03.803891 http.c:817              == Info: Using Stream ID: 1 (easy handle 0x55652d743c50)
22:51:03.803920 http.c:764              => Send header, 0000000225 bytes (0x000000e1)
22:51:03.803925 http.c:776              => Send header: GET /rpms/tomlplusplus.git/info/refs?service=git-receive-pack HTTP/2
22:51:03.803928 http.c:776              => Send header: Host: src.fedoraproject.org
22:51:03.803930 http.c:776              => Send header: User-Agent: git/2.41.0.rc2
22:51:03.803932 http.c:776              => Send header: Accept: */*
22:51:03.803935 http.c:776              => Send header: Accept-Encoding: deflate, gzip
22:51:03.803937 http.c:776              => Send header: Accept-Language: en-US, *;q=0.9
22:51:03.803939 http.c:776              => Send header: Pragma: no-cache
22:51:03.803942 http.c:776              => Send header:
22:51:04.114069 http.c:817              == Info: TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
22:51:04.126281 http.c:817              == Info: TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
22:51:04.126334 http.c:817              == Info: old SSL session ID is stale, removing
22:51:04.126421 http.c:764              <= Recv header, 0000000013 bytes (0x0000000d)
22:51:04.126427 http.c:776              <= Recv header: HTTP/2 401
22:51:04.126430 http.c:764              <= Recv header, 0000000073 bytes (0x00000049)
22:51:04.126432 http.c:776              <= Recv header: strict-transport-security: max-age=31536000; includeSubDomains; preload
22:51:04.126436 http.c:764              <= Recv header, 0000000029 bytes (0x0000001d)
22:51:04.126438 http.c:776              <= Recv header: x-frame-options: SAMEORIGIN
22:51:04.126440 http.c:764              <= Recv header, 0000000033 bytes (0x00000021)
22:51:04.126442 http.c:776              <= Recv header: x-xss-protection: 1; mode=block
22:51:04.126444 http.c:764              <= Recv header, 0000000033 bytes (0x00000021)
22:51:04.126446 http.c:776              <= Recv header: x-content-type-options: nosniff
22:51:04.126448 http.c:764              <= Recv header, 0000000030 bytes (0x0000001e)
22:51:04.126451 http.c:776              <= Recv header: referrer-policy: same-origin
22:51:04.126453 http.c:764              <= Recv header, 0000000037 bytes (0x00000025)
22:51:04.126477 http.c:776              <= Recv header: date: Wed, 31 May 2023 14:51:03 GMT
22:51:04.126480 http.c:764              <= Recv header, 0000000016 bytes (0x00000010)
22:51:04.126483 http.c:776              <= Recv header: server: Apache
22:51:04.126487 http.c:764              <= Recv header, 0000000107 bytes (0x0000006b)
22:51:04.126490 http.c:776              <= Recv header: www-authenticate: Basic error="invalid_request", error_description="No bearer token found in the request"
22:51:04.126494 http.c:764              <= Recv header, 0000000021 bytes (0x00000015)
22:51:04.126497 http.c:776              <= Recv header: content-length: 381
22:51:04.126500 http.c:764              <= Recv header, 0000000045 bytes (0x0000002d)
22:51:04.126502 http.c:776              <= Recv header: content-type: text/html; charset=iso-8859-1
22:51:04.126506 http.c:764              <= Recv header, 0000000017 bytes (0x00000011)
22:51:04.126508 http.c:776              <= Recv header: apptime: D=1807
22:51:04.126512 http.c:764              <= Recv header, 0000000054 bytes (0x00000036)
22:51:04.126515 http.c:776              <= Recv header: x-fedora-proxyserver: proxy01.iad2.fedoraproject.org
22:51:04.126518 http.c:764              <= Recv header, 0000000049 bytes (0x00000031)
22:51:04.126522 http.c:776              <= Recv header: x-fedora-requestid: ZHde13gJ2v3JZFOEGeQTogACwxY
22:51:04.126527 http.c:764              <= Recv header, 0000000002 bytes (0x00000002)
22:51:04.126530 http.c:776              <= Recv header:
22:51:04.126540 http.c:817              == Info: Connection #0 to host 127.0.0.1 left intact
22:51:04.126603 run-command.c:661       trace: run_command: '/usr/bin/fedpkg gitcred get'
Invalid input: wwwauth[]=Basic error="invalid_request", error_description="No bearer token found in the request"

22:51:04.698194 run-command.c:661       trace: run_command: /home/ruby/.vscode-server/bin/b3e4e68a0bc097f0ae7907b217c1119af9e03435/extensions/git/dist/askpass.sh 'Username for '\''https://src.fedoraproject.org/rpms/tomlplusplus.git'\'': '
22:51:05.898701 run-command.c:661       trace: run_command: /home/ruby/.vscode-server/bin/b3e4e68a0bc097f0ae7907b217c1119af9e03435/extensions/git/dist/askpass.sh 'Password for '\''https://src.fedoraproject.org/rpms/tomlplusplus.git'\'': '
22:51:06.352851 http.c:817              == Info: Couldn't find host src.fedoraproject.org in the (nil) file; using defaults
22:51:06.352872 http.c:817              == Info: Found bundle for host: 0x55652d7362d0 [can multiplex]
22:51:06.352893 http.c:817              == Info: Re-using existing connection #0 with proxy 127.0.0.1
22:51:06.352913 http.c:817              == Info: h2 [:method: GET]
22:51:06.352916 http.c:817              == Info: h2 [:scheme: https]
22:51:06.352918 http.c:817              == Info: h2 [:authority: src.fedoraproject.org]
22:51:06.352920 http.c:817              == Info: h2 [:path: /rpms/tomlplusplus.git/info/refs?service=git-receive-pack]
22:51:06.352922 http.c:817              == Info: h2 [user-agent: git/2.41.0.rc2]
22:51:06.352924 http.c:817              == Info: h2 [accept: */*]
22:51:06.352926 http.c:817              == Info: h2 [accept-encoding: deflate, gzip]
22:51:06.352928 http.c:817              == Info: h2 [accept-language: en-US, *;q=0.9]
22:51:06.352930 http.c:817              == Info: h2 [pragma: no-cache]
22:51:06.352937 http.c:817              == Info: Using Stream ID: 3 (easy handle 0x55652d743c50)
22:51:06.353003 http.c:764              => Send header, 0000000225 bytes (0x000000e1)
22:51:06.353010 http.c:776              => Send header: GET /rpms/tomlplusplus.git/info/refs?service=git-receive-pack HTTP/2
22:51:06.353012 http.c:776              => Send header: Host: src.fedoraproject.org
22:51:06.353014 http.c:776              => Send header: User-Agent: git/2.41.0.rc2
22:51:06.353016 http.c:776              => Send header: Accept: */*
22:51:06.353017 http.c:776              => Send header: Accept-Encoding: deflate, gzip
22:51:06.353019 http.c:776              => Send header: Accept-Language: en-US, *;q=0.9
22:51:06.353021 http.c:776              => Send header: Pragma: no-cache
22:51:06.353023 http.c:776              => Send header:
22:51:06.664112 http.c:764              <= Recv header, 0000000013 bytes (0x0000000d)
22:51:06.664125 http.c:776              <= Recv header: HTTP/2 401
22:51:06.664128 http.c:764              <= Recv header, 0000000073 bytes (0x00000049)
22:51:06.664131 http.c:776              <= Recv header: strict-transport-security: max-age=31536000; includeSubDomains; preload
22:51:06.664134 http.c:764              <= Recv header, 0000000029 bytes (0x0000001d)
22:51:06.664136 http.c:776              <= Recv header: x-frame-options: SAMEORIGIN
22:51:06.664152 http.c:764              <= Recv header, 0000000033 bytes (0x00000021)
22:51:06.664154 http.c:776              <= Recv header: x-xss-protection: 1; mode=block
22:51:06.664157 http.c:764              <= Recv header, 0000000033 bytes (0x00000021)
22:51:06.664158 http.c:776              <= Recv header: x-content-type-options: nosniff
22:51:06.664161 http.c:764              <= Recv header, 0000000030 bytes (0x0000001e)
22:51:06.664164 http.c:776              <= Recv header: referrer-policy: same-origin
22:51:06.664167 http.c:764              <= Recv header, 0000000037 bytes (0x00000025)
22:51:06.664170 http.c:776              <= Recv header: date: Wed, 31 May 2023 14:51:06 GMT
22:51:06.664173 http.c:764              <= Recv header, 0000000016 bytes (0x00000010)
22:51:06.664175 http.c:776              <= Recv header: server: Apache
22:51:06.664178 http.c:764              <= Recv header, 0000000107 bytes (0x0000006b)
22:51:06.664181 http.c:776              <= Recv header: www-authenticate: Basic error="invalid_request", error_description="No bearer token found in the request"
22:51:06.664193 http.c:764              <= Recv header, 0000000021 bytes (0x00000015)
22:51:06.664196 http.c:776              <= Recv header: content-length: 381
22:51:06.664199 http.c:764              <= Recv header, 0000000045 bytes (0x0000002d)
22:51:06.664224 http.c:776              <= Recv header: content-type: text/html; charset=iso-8859-1
22:51:06.664227 http.c:764              <= Recv header, 0000000017 bytes (0x00000011)
22:51:06.664229 http.c:776              <= Recv header: apptime: D=1187
22:51:06.664232 http.c:764              <= Recv header, 0000000054 bytes (0x00000036)
22:51:06.664235 http.c:776              <= Recv header: x-fedora-proxyserver: proxy01.iad2.fedoraproject.org
22:51:06.664237 http.c:764              <= Recv header, 0000000049 bytes (0x00000031)
22:51:06.664240 http.c:776              <= Recv header: x-fedora-requestid: ZHde2ngJ2v3JZFOEGeQT3wACwhY
22:51:06.664243 http.c:764              <= Recv header, 0000000002 bytes (0x00000002)
22:51:06.664245 http.c:776              <= Recv header:
22:51:06.664266 http.c:817              == Info: Connection #0 to host 127.0.0.1 left intact
22:51:06.664286 run-command.c:661       trace: run_command: '/usr/bin/fedpkg gitcred erase'
Invalid input: wwwauth[]=Basic error="invalid_request", error_description="No bearer token found in the request"

fatal: Authentication failed for 'https://src.fedoraproject.org/rpms/tomlplusplus.git/'

❯ klist -A
Ticket cache: KCM:1000
Default principal: topazus@FEDORAPROJECT.ORG

Valid starting       Expires              Service principal
05/31/2023 21:58:49  06/01/2023 21:58:45  krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG
        renew until 06/07/2023 21:58:45
05/31/2023 22:08:28  06/01/2023 21:58:45  HTTP/koji.fedoraproject.org@
        renew until 06/07/2023 21:58:45
        Ticket server: HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG

Please provide information related to what solved the problem. Other users may find this thread and posting the details of the solution is helpful to others.

I had exactly the same issue while trying to follow the instructions at:

It looks like git propagates the WWW-Authenticate response header from https://src.fedoraproject.org/forks/<USERNAME>/rpms/<PACKAGE>.git/info/refs?service=git-receive-pack to the stdin of the /usr/bin/fedpkg gitcred get credential helper. Somehow this doesn’t work, as this URL returns:

Www-Authenticate: Basic error="invalid_request", error_description="No bearer token found in the request"

As response header, causing that invalid input error.

I could find a workaround by filtering the stdin with a custom wrapper, see:

After that, I used this command:

git -c credential.helper="/home/kleisauke/wrapper.py /usr/bin/fedpkg gitcred" -c credential.useHttpPath=true push

To push the changes to my fork.

The error seemed to be caused by fedpkg co -a <package-name>, which shows it goes through http. When I try fedpkg co <package-name>, which goes through ssh, the error goes away and worked fine for me. I do not occur the error later on.

According to Infrastructure/HTTPS-commits - Fedora Project Wiki you can only use ssh when you’re in the ‘packager’ group, so that wouldn’t be an option for me right now.

FWIW, here’s a standalone reproducer:

/usr/bin/fedpkg gitcred get <<'EOF'
protocol=https
host=src.fedoraproject.org
path=forks/kleisauke/rpms/vips.git
wwwauth[]=Basic error="invalid_request", error_description="No bearer token found in the request"
EOF

While investigating this further, this seems to be caused by Git v2.41, specifically commit git.git - The core git plumbing.

Git v2.41 Release Notes
=======================

UI, Workflows & Features

 * Allow information carried on the WWW-Authenticate header to be
   passed to the credential helpers.

https://lore.kernel.org/git/xmqqleh3a3wm.fsf@gitster.g/

Downgrading git to 2.40.0 via dnf downgrade git resolves this as well.

A proper fix would be to ignore the wwwauth[] key somewhere here:
https://pagure.io/rpkg/blob/ad67fa9069befef3e4ba5180eea6bf56b658e664/f/pyrpkg/cli.py#_829

I just opened issue Issue #694: Anonymous push doesn't work with git 2.41 - rpkg - Pagure.io for this.

1 Like

I just wasted an hour trying to push a small change to my own fork. If @kleisauke haven’t done the troubleshooting and found the root cause (THANKS), I would probably still be pulling my hair out.

Are the people outside of ‘packager’ group second-class citizens?
I mean, the issue has been opened more than a month ago, the issue was apparently fixed in rpkg two weeks ago, but there was no new release :person_shrugging:

I only did a couple of small changes in Fedora’s dist-git, but every time it was so painful and time-consuming. I cannot imagine this experience not being discouraging to new contributors.

Sorry for the rant :heart:
Martin

Did you try asking? Maybe upstream does not know there is demand from non-members of packager group.

I just copied the fix locally because it’s no big deal.

FYI
the update for this is now in testing
https://bodhi.fedoraproject.org/updates/?packages=rpkg

I had as well the same issue.
Thanks for looking into this :slight_smile:

1 Like