Alternative Authentication Methods for Accessing GitHub in Spring Cloud Config

[anmolsingh-kr]

Select Topic Area

Question

Body

I'm exploring ways to access GitHub repositories in Spring Cloud Config without using personal access tokens. Here is my current configuration:

spring:
cloud:
config:
server:
git:
uri: https://github.com/abc/xyz
clone-on-start: true
search-paths: configs
default-label: main

Could you suggest alternative authentication methods that I can use for GitHub in this setup?

[jgschmitz]

GitHub Apps offer a secure and granular method of repository access.
Instead of using personal tokens or SSH keys, you can use a GitHub App with its own permissions.

Here are the Steps:

Create a GitHub App:

Go to GitHub -> Settings -> Developer settings -> GitHub Apps.
Create a new GitHub App with repository permissions (Read access to repository contents).
After creation, you will get an App ID and can generate private keys.
Install the GitHub App on Your Repository:

Install the newly created GitHub App in the repository you want Spring Cloud Config to access.
Get an Access Token: GitHub Apps authenticate using JSON Web Tokens (JWT). You can create a script or a component in Spring to fetch an access token dynamically:

Generate a JWT from your GitHub App’s private key and App ID.
Exchange the JWT for an access token using GitHub’s REST API.
Use the Access Token in Spring Cloud Config: You can fetch and dynamically inject the access token into Spring Cloud Config’s properties. Here's a simplified outline:

spring:
  cloud:
    config:
      server:
        git:
          uri: https://github.com/abc/xyz.git
          clone-on-start: true
          search-paths: configs
          default-label: main
          username: x-access-token
          password: <your-github-app-access-token>

You can then automate token retrieval using Spring components or custom startup scripts to avoid manual handling of the token. Hope this helps!!

[klopfdreh]

Hey guys,

I provided a PR to the Spring Cloud Config Server: spring-cloud/spring-cloud-config#3189 (feat: github apps support)

If you build your Spring Cloud Config Server your own and add a class GitCredentialsProviderFactory with the exact package and name in your classpath, you can override it and add the feature until the PR is merged. (org.springframework.cloud.config.server.support.GitCredentialsProviderFactory)

[healer0805]

If you want to stop relying on a Personal Access Token, you’ve got a few solid alternatives depending on your environment.

The cleanest and most common option for Spring Cloud Config is:

1. SSH key authentication (recommended)
Instead of using HTTPS, switch your repo URI to SSH:

uri: git@github.com:abc/xyz.git

Then:

• Generate an SSH key on the machine running the Config Server
• Add the public key to GitHub (Deploy Key or machine user)
• Make sure the private key is available to the process (usually via ~/.ssh or configured in Spring)

This avoids tokens entirely and is very stable for server-to-repo communication.

---

2. GitHub App authentication (more secure, enterprise-friendly)
Instead of a PAT, create a GitHub App with repository access.
Your server exchanges a signed JWT for short-lived installation tokens.

Pros:

• Short-lived tokens
• Fine-grained permissions
• Revocable per repo

This is better for production systems where security posture matters.

---

3. Deploy Keys (simple and secure for single repo)
If the Config Server only needs access to one repository:

• Generate an SSH key pair
• Add the public key as a Deploy Key in the repo settings
• Use SSH URI

This is often the simplest production-safe solution.

---

4. OAuth App (rarely used for servers)
Technically possible, but not ideal for backend services. OAuth is better suited for user-driven flows, not infrastructure components like Config Server.

---

What I’d Recommend

If this is an internal service or backend infrastructure:

→ Use SSH + Deploy Key
It’s simple, secure, and avoids token rotation headaches.

If this is enterprise-level and needs tighter access control:

→ Use a GitHub App with installation tokens.

If you tell me where this is running (VM, Kubernetes, Docker, etc.), I can suggest the cleanest way to wire SSH in that environment.

[klopfdreh]

@healer0805 - instead to sum all possibilities just have a look into a PR - it integrates a GitHub App Support in Spring Cloud Config.

But nice general AI answer.

[joeljohnson22]

You can avoid using a Personal Access Token by switching to one of the supported Git authentication mechanisms that Spring Cloud Config supports via JGit.

SSH key authentication (recommended for servers)

Use an SSH deploy key or machine user key instead of HTTPS.

Configuration example:

spring:
cloud:
config:
server:
git:
uri: git@github.com
:abc/xyz.git
clone-on-start: true
search-paths: configs
default-label: main
private-key: |
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----
strict-host-key-checking: false

Best practice:

Create a deploy key in the GitHub repo (Settings → Deploy keys).

Use a read-only key if write access is not required.

Store the private key securely (environment variable, Vault, Kubernetes secret, etc.), not directly in application.yml.

GitHub App authentication (more secure than PAT)

Instead of a personal token, create a GitHub App with repository access.

Flow:

Create a GitHub App.

Install it on the repository.

Generate a JWT using the App’s private key.

Exchange JWT for an installation access token.

Use that token as the password for HTTPS authentication.

You would dynamically inject the installation token into:

spring:
cloud:
config:
server:
git:
uri: https://github.com/abc/xyz

username: x-access-token
password: ${GITHUB_APP_INSTALLATION_TOKEN}

This approach avoids personal credentials and supports rotation.

Machine user account (bot account)

Create a dedicated GitHub user for automation:

Add the user to the repository.

Use its credentials or token (not tied to a personal account).

Configuration:

spring:
cloud:
config:
server:
git:
uri: https://github.com/abc/xyz

username: bot-username
password: ${BOT_TOKEN}

This isolates risk from personal accounts.

OAuth token (organization-based)

If your organization uses OAuth-based GitHub authentication with short-lived tokens, you can inject the OAuth token into the password field similarly to the GitHub App approach.

GitHub Enterprise + internal auth

If using GitHub Enterprise behind corporate SSO, you can integrate with:

SSH via centrally managed keys

Kerberos or LDAP-backed credentials (depending on enterprise configuration)

Recommendation

For production systems, SSH deploy keys or GitHub Apps are preferred over personal access tokens because:

They are scoped to specific repositories

They are not tied to an individual user

They are easier to rotate and audit

If you describe your deployment environment (VM, Docker, Kubernetes, etc.), a more concrete setup example can be provided.

[klopfdreh]

@joeljohnson22 - again AI answer? My PR is not based on personal access token and we can’t use SSH.