Logging with organization token is successful and leads to side effects

[merveenoyan]

It was reported that users get KeyError when push_to_hub_keras() is used to push for organization.

Example:

from huggingface_hub import push_to_hub_keras
push_to_hub_keras(model=vqvae_trainer, repo_url='https://huggingface.co/keras-io/vq_vae', organization='keras-io')

When organization token is explicitly written, the problem goes away.
Example:

push_to_hub_keras(model=forest_model, .....
                  repo_path_or_name='.', repo_url = "https://huggingface.co/keras-io/deep-neural-decision-forests", 
                  use_auth_token=keras_io_hub_token)

Is this intended behavior? @nateraw
Also cc: @osanseviero

[osanseviero]

Is the issue reproducible?

[merveenoyan]

@osanseviero yes, I was able to raise it.
Login with keras-io organization token with HF CLI, then do

from huggingface_hub import push_to_hub_keras
push_to_hub_keras(model=autoencoder, repo_url="https://huggingface.co/keras-io/conv-autoencoder", organization = "keras-io")

Weird enough, it doesn't happen at all when I login with my own token.

So either: login with keras-io token and define this explicitly in the pushing function, (which is cumbersome anyway)
or: login with personal account and don't define use_auth_token at all.

[osanseviero]

@SBrandeis are people expected to be able to do login using an organization token? That sounds off no?

[SBrandeis]

Hi, you need to provide a user access token (https://hf.co/settings/token) to be able to push to an organization

We should refrain from logging in with organization tokens and push users towards using their personal user access tokens when authentication is required 🙂

[merveenoyan]

Maybe we could put a note in Hub since I didn't know that I wasn't supposed to do it @SBrandeis @osanseviero

[osanseviero]

My question is why do we support login with organization tokens at all? What's the use case?

[osanseviero]

cc @julien-c as well

[merveenoyan]

@osanseviero +1, maybe we could explain that as well

[SBrandeis]

My question is why do we support login with organization tokens at all? What's the use case?

Using an organization API token will work on most API routes that require only read access to repos, as well as with /resolve and /raw endpoints

---

This behavior holds mainly for backward compatibility and will probably be removed at some point in the future. We should not rely on it.

As stated before, the preferred way to authenticate programmatically with the hub are user access tokens

[osanseviero]

Thanks for the context! In my opinion logging in with organization token should not be supported at all (cc @LysandreJik @muellerzr) since it looks like it's a successful login but can lead to a bunch of side effects. I would feel more comfortable if we error out in login when using organization token in huggingface_hub.

[Pierrci]

Yes, the org API token isn't really thought to be used in the case of hfhub, its main use is rather the inference API (hence its name, different from the users' "access tokens"). Preventing from logging in with it makes sense to me (simple to detect since all org tokens start w/ api_org_)

[julien-c]

agreed on the proposed fix

[osanseviero]

@merveenoyan or @muellerzr would any of you like to take this one?

[merveenoyan]

I'll try 🤗

[merveenoyan]

Other than passing token as an argument, I tested for huggingface-cli. I wonder if we should put a warning along the lines of "If you're logging in to push models, make sure you are using your personal token" when users are logging in with organization token. When pushing I get following which is a bit confusing IMO.

HTTPError: 401 Client Error: Unauthorized for url: https://huggingface.co/api/repos/create - Unauthorized

[osanseviero]

Org/API tokens always begin with api_org_ as @Pierrci mentioned above, so we can easily detect them. The proposed solution is just to avoid allowing login with an org token, so this can simply be fixed by raising a value error if the api_org_ is at the beginning of the token in the login functions (such as https://github.com/huggingface/huggingface_hub/blob/main/src/huggingface_hub/hf_api.py#L446).

[merveenoyan]

@osanseviero I understood it and fixed for hub mixin and keras mixin, I'm trying to see where else this would fail atm so I'm testing pushing and pulling and if they fail. 👀 I'll write my findings here.

[osanseviero]

This confused me

Other than passing token as an argument, I tested for huggingface-cli. I wonder if we should put a warning along the lines of "If you're logging in to push models, make sure you are using your personal token" when users are logging in with organization token.

We can simply raise an error here, no need to provide a warning.

I don't think you need to change the mixins code itself, though. By changing login you would be fixing this issue no?

[merveenoyan]

We merged the PR that solves the issue, I'm closing it.