Instantly share code, notes, and snippets.

Embed
What would you like to do?
GitHub OAuth Busy Developer's Guide

GitHub OAuth Busy Developer's Guide

This is a quick guide to OAuth2 support in GitHub for developers. This is still experimental and could change at any moment. This Gist will serve as a living document until it becomes finalized at Develop.GitHub.com.

OAuth2 is a protocol that lets external apps request authorization to private details in your GitHub account without getting your password. All developers need to register their application before getting started.

Web Application Flow

  • Redirect to this link to request GitHub access:
https://github.com/login/oauth/authorize?
  client_id=...&
  redirect_uri=http://www.example.com/oauth_redirect
  • If the user accepts your request, GitHub redirects back to your site with a temporary code in a code parameter. Exchange this for an access token:
POST https://github.com/login/oauth/access_token?
  client_id=...&
  redirect_uri=http://www.example.com/oauth_redirect&
  client_secret=...&
  code=...

RESPONSE:
access_token=...
  • You have the access token, so now you can make requests on the user's behalf:
GET https://github.com/api/v2/json/user/show?
  access_token=...

Javascript Flow

Disabled, for now...

Desktop flow

Disabled, for now...

Scopes

  • (no scope) - public read-only access (includes user profile info, public repo info, and gists).
  • user - DB read/write access to profile info only.
  • public_repo - DB read/write access, and Git read access to public repos.
  • repo - DB read/write access, and Git read access to public and private repos.
  • gist - write access to gists.

Your application can request the scopes in the initial redirection:

https://github.com/login/oauth/authorize?
  client_id=...&
  scope=user,public_repo&
  redirect_uri=http://www.example.com/oauth_redirect

References

@technoweenie

This comment has been minimized.

Show comment
Hide comment
@technoweenie

technoweenie May 30, 2010

If you have questions about the document itself (typos, more references, suggestions, etc), post them here. If you want to discuss GitHub OAuth in general, see the API forum.

Owner

technoweenie commented May 30, 2010

If you have questions about the document itself (typos, more references, suggestions, etc), post them here. If you want to discuss GitHub OAuth in general, see the API forum.

@atmos

This comment has been minimized.

Show comment
Hide comment

atmos commented Jun 1, 2010

@fictorial

This comment has been minimized.

Show comment
Hide comment
@fictorial

fictorial Jun 2, 2010

Do the access tokens expire? I don't see a refresh token returned.

How should I "check back in" with Github to ensure that the access token is still valid? Will the API calls fail in a clearly defined way when the access token is invalid?

fictorial commented Jun 2, 2010

Do the access tokens expire? I don't see a refresh token returned.

How should I "check back in" with Github to ensure that the access token is still valid? Will the API calls fail in a clearly defined way when the access token is invalid?

@technoweenie

This comment has been minimized.

Show comment
Hide comment
@technoweenie

technoweenie Jun 2, 2010

Tokens don't have to expire. From what I read about Facebook's implementation, they only send back the access token and an expiration if the offline_access scope is not requested. Right now, GitHub just assumes all apps want offline access.

Owner

technoweenie commented Jun 2, 2010

Tokens don't have to expire. From what I read about Facebook's implementation, they only send back the access token and an expiration if the offline_access scope is not requested. Right now, GitHub just assumes all apps want offline access.

@atmos

This comment has been minimized.

Show comment
Hide comment
@atmos

atmos Jun 2, 2010

Are port numbers significant? I registered localhost:9393 and localhost:9292 works too.

atmos commented Jun 2, 2010

Are port numbers significant? I registered localhost:9393 and localhost:9292 works too.

@fictorial

This comment has been minimized.

Show comment
Hide comment
@fictorial

fictorial commented Jun 2, 2010

@technoweenie: ok, thanks.

@technoweenie

This comment has been minimized.

Show comment
Hide comment
@technoweenie

technoweenie Jun 2, 2010

Ah, I don't think I do much validation of the callback_uri. I should definitely do that. I wasn't exactly sure how the specs wanted to handle that though.

Owner

technoweenie commented Jun 2, 2010

Ah, I don't think I do much validation of the callback_uri. I should definitely do that. I wasn't exactly sure how the specs wanted to handle that though.

@fictorial

This comment has been minimized.

Show comment
Hide comment
@fictorial

fictorial Jun 2, 2010

What's wrong with using a port number? I'm using that in one of my tests. I put 127.0.0.1 myapp.local in my /etc/hosts and registered an app here for http://myapp.local:8080/auth/github-callback.

fictorial commented Jun 2, 2010

What's wrong with using a port number? I'm using that in one of my tests. I put 127.0.0.1 myapp.local in my /etc/hosts and registered an app here for http://myapp.local:8080/auth/github-callback.

@atmos

This comment has been minimized.

Show comment
Hide comment
@atmos

atmos Jun 2, 2010

I'm using a port number as well, the problem is that there's no port validation happening on the github side. I'm not familiar enough with oauth to know whether or not it should validate that the port number is correct which is why I asked.

Try running your app on 8181 and you'll see that your keys work there too.

atmos commented Jun 2, 2010

I'm using a port number as well, the problem is that there's no port validation happening on the github side. I'm not familiar enough with oauth to know whether or not it should validate that the port number is correct which is why I asked.

Try running your app on 8181 and you'll see that your keys work there too.

@technoweenie

This comment has been minimized.

Show comment
Hide comment
@technoweenie

technoweenie Jun 2, 2010

I'll probably add uri validation. So if you have http://myapp.com:81/foo...

However, I don't think the specs are super clear on what to do in that case.

Owner

technoweenie commented Jun 2, 2010

I'll probably add uri validation. So if you have http://myapp.com:81/foo...

However, I don't think the specs are super clear on what to do in that case.

@technoweenie

This comment has been minimized.

Show comment
Hide comment
@technoweenie

technoweenie Jun 3, 2010

I just added redirect uri validation, as well as support for the desktop flow.

Owner

technoweenie commented Jun 3, 2010

I just added redirect uri validation, as well as support for the desktop flow.

@catsby

This comment has been minimized.

Show comment
Hide comment
@catsby

catsby Jun 4, 2010

Where does the client secret come into play with the desktop workflow?

catsby commented Jun 4, 2010

Where does the client secret come into play with the desktop workflow?

@technoweenie

This comment has been minimized.

Show comment
Hide comment
@technoweenie

technoweenie Jun 5, 2010

You're right, this looks like a flaw in the specs. I'll read over them again and see if I missed something. I really don't like how they skip the temporary code process. There's no reason why JS or desktop apps couldn't make a second request to get the access token like the web server flow.

Owner

technoweenie commented Jun 5, 2010

You're right, this looks like a flaw in the specs. I'll read over them again and see if I missed something. I really don't like how they skip the temporary code process. There's no reason why JS or desktop apps couldn't make a second request to get the access token like the web server flow.

@atmos

This comment has been minimized.

Show comment
Hide comment
@atmos

atmos Jun 7, 2010

Can we get deploy key access enabled for the oauth side of thigns too? It works with the login/token combo but not with the access_token.

atmos commented Jun 7, 2010

Can we get deploy key access enabled for the oauth side of thigns too? It works with the login/token combo but not with the access_token.

@technoweenie

This comment has been minimized.

Show comment
Hide comment
@technoweenie

technoweenie Jun 7, 2010

It'll probably be after RailsConf. I'm still in the process of auditing those API actions and sprinkling in OAuth support.

Owner

technoweenie commented Jun 7, 2010

It'll probably be after RailsConf. I'm still in the process of auditing those API actions and sprinkling in OAuth support.

@technoweenie

This comment has been minimized.

Show comment
Hide comment
@technoweenie

technoweenie Jun 12, 2010

The user_agent flow (used for js/desktop logins) is disabled for now. I need to figure out how to implement it properly according to spec.

Owner

technoweenie commented Jun 12, 2010

The user_agent flow (used for js/desktop logins) is disabled for now. I need to figure out how to implement it properly according to spec.

@technoweenie

This comment has been minimized.

Show comment
Hide comment
@technoweenie

technoweenie Jun 15, 2010

Clarified the user/repo/public_repo scopes. The repo and public_repo scopes are implemented for issue api calls, and repo deploy keys.

Owner

technoweenie commented Jun 15, 2010

Clarified the user/repo/public_repo scopes. The repo and public_repo scopes are implemented for issue api calls, and repo deploy keys.

@davidrecordon

This comment has been minimized.

Show comment
Hide comment
@davidrecordon

davidrecordon Jun 23, 2010

First of all, this is awesome! My use case is actually one which doesn't involve separating the user from the application, but just interacting with my own account via the API. Ideally I could use the OAuth client credentials flow to trade my API token for an access token?

davidrecordon commented Jun 23, 2010

First of all, this is awesome! My use case is actually one which doesn't involve separating the user from the application, but just interacting with my own account via the API. Ideally I could use the OAuth client credentials flow to trade my API token for an access token?

@atmos

This comment has been minimized.

Show comment
Hide comment
@atmos

atmos Jun 23, 2010

The normal access token should work just fine for your needs. Perhaps they're going to remove the token based auth in the future but it's probably better to familiarize yourself w/ the API and learn the OAuth side when you're building things for more than just yourself.

atmos commented Jun 23, 2010

The normal access token should work just fine for your needs. Perhaps they're going to remove the token based auth in the future but it's probably better to familiarize yourself w/ the API and learn the OAuth side when you're building things for more than just yourself.

@technoweenie

This comment has been minimized.

Show comment
Hide comment
@technoweenie

technoweenie Jun 23, 2010

I'd like to keep access token support around for personal use. There are some things we likely won't ever allow through OAuth, such as managing public keys and passwords. So right now, we don't plan to ever deprecate access tokens :)

Owner

technoweenie commented Jun 23, 2010

I'd like to keep access token support around for personal use. There are some things we likely won't ever allow through OAuth, such as managing public keys and passwords. So right now, we don't plan to ever deprecate access tokens :)

@davidrecordon

This comment has been minimized.

Show comment
Hide comment
@davidrecordon

davidrecordon Jun 23, 2010

If I'm understanding you correctly, this means that I can take my existing API token and use it as an OAuth 2.0 access token? If so, exactly what I was looking for.

davidrecordon commented Jun 23, 2010

If I'm understanding you correctly, this means that I can take my existing API token and use it as an OAuth 2.0 access token? If so, exactly what I was looking for.

@technoweenie

This comment has been minimized.

Show comment
Hide comment
@technoweenie

technoweenie Jun 23, 2010

No, the API accepts your token without OAuth. See the Authentication section in http://develop.github.com/p/general.html

Think of OAuth as a way for an app to generate a new token for you that only works on that app.

Owner

technoweenie commented Jun 23, 2010

No, the API accepts your token without OAuth. See the Authentication section in http://develop.github.com/p/general.html

Think of OAuth as a way for an app to generate a new token for you that only works on that app.

@sreeix

This comment has been minimized.

Show comment
Hide comment
@sreeix

sreeix Jun 25, 2010

Any update on the deploy key access to repository?
I tried to add deploy keys using oauth and get a 401

sreeix commented Jun 25, 2010

Any update on the deploy key access to repository?
I tried to add deploy keys using oauth and get a 401

@atmos

This comment has been minimized.

Show comment
Hide comment
@atmos

atmos Jun 25, 2010

I'm pretty sure you need to invalidate your current token and fetch a new one w/ the repo scope defined.

atmos commented Jun 25, 2010

I'm pretty sure you need to invalidate your current token and fetch a new one w/ the repo scope defined.

@atmos

This comment has been minimized.

Show comment
Hide comment
@atmos

atmos Jul 25, 2010

I'm still seeing issues with fetching a user's public keys and adding deploy keys.

atmos commented Jul 25, 2010

I'm still seeing issues with fetching a user's public keys and adding deploy keys.

@technoweenie

This comment has been minimized.

Show comment
Hide comment
@technoweenie

technoweenie Jul 28, 2010

Fixed a caching bug related to the tokens :) It wasn't storing the scopes right in memcache. As soon as CI comes back green, I'll deploy and clear existing oauth caches.

Owner

technoweenie commented Jul 28, 2010

Fixed a caching bug related to the tokens :) It wasn't storing the scopes right in memcache. As soon as CI comes back green, I'll deploy and clear existing oauth caches.

@atmos

This comment has been minimized.

Show comment
Hide comment
@atmos

atmos Jul 29, 2010

Should /repos/pushable be returning unauthorized if you specified the repos scope?

atmos commented Jul 29, 2010

Should /repos/pushable be returning unauthorized if you specified the repos scope?

@jeroenhouben

This comment has been minimized.

Show comment
Hide comment
@jeroenhouben

jeroenhouben Aug 17, 2010

What's the status of this?

https://github.com/login/oauth/authorize just gives me a 404

jeroenhouben commented Aug 17, 2010

What's the status of this?

https://github.com/login/oauth/authorize just gives me a 404

@technoweenie

This comment has been minimized.

Show comment
Hide comment
@technoweenie

technoweenie Aug 17, 2010

It works fine, but still has a lot of rough edges. You need to pass a client_id and redirect_uri to that URL.

Owner

technoweenie commented Aug 17, 2010

It works fine, but still has a lot of rough edges. You need to pass a client_id and redirect_uri to that URL.

@jeroenhouben

This comment has been minimized.

Show comment
Hide comment
@jeroenhouben

jeroenhouben Aug 17, 2010

strange, I did that using the Oauth2 gem but it doesn't work, it seems to generate the wrong URL.

Manually entering the URL works, so must be something on my end.

Thanks!!

jeroenhouben commented Aug 17, 2010

strange, I did that using the Oauth2 gem but it doesn't work, it seems to generate the wrong URL.

Manually entering the URL works, so must be something on my end.

Thanks!!

@jeroenhouben

This comment has been minimized.

Show comment
Hide comment
@jeroenhouben

jeroenhouben Aug 17, 2010

OK I needed to add some extra params otherwise OAuth2 generates some standard URLs. This works for me

  opts = {
    :authorize_url    => 'https://github.com/login/oauth/authorize',
    :access_token_url => 'https://github.com/login/oauth/access_token',
    :site             => 'https://github.com'    
  }    
  @client ||= OAuth2::Client.new(GITHUB_CLIENT_ID, GITHUB_SECRET, opts)

jeroenhouben commented Aug 17, 2010

OK I needed to add some extra params otherwise OAuth2 generates some standard URLs. This works for me

  opts = {
    :authorize_url    => 'https://github.com/login/oauth/authorize',
    :access_token_url => 'https://github.com/login/oauth/access_token',
    :site             => 'https://github.com'    
  }    
  @client ||= OAuth2::Client.new(GITHUB_CLIENT_ID, GITHUB_SECRET, opts)
@melo

This comment has been minimized.

Show comment
Hide comment
@melo

melo Oct 16, 2010

As a user, will I be able to give read-only access to my stuff?

Thats one of the things that I don't like with Twitter for example: a lot of apps would only need RO, but Twitter gives out RW tokens.

melo commented Oct 16, 2010

As a user, will I be able to give read-only access to my stuff?

Thats one of the things that I don't like with Twitter for example: a lot of apps would only need RO, but Twitter gives out RW tokens.

@foca

This comment has been minimized.

Show comment
Hide comment
@foca

foca Nov 23, 2010

Does the API support creating post-receive hooks from there? I can't find documentation, but maybeeeee… :)

foca commented Nov 23, 2010

Does the API support creating post-receive hooks from there? I can't find documentation, but maybeeeee… :)

@atmos

This comment has been minimized.

Show comment
Hide comment
@atmos

atmos Nov 23, 2010

@foca - i'm planning on adding that soon if i make the time for it.

atmos commented Nov 23, 2010

@foca - i'm planning on adding that soon if i make the time for it.

@fjakobs

This comment has been minimized.

Show comment
Hide comment
@fjakobs

fjakobs Nov 29, 2010

I'm trying to upload a ssh key http://develop.github.com/p/users.html with and OAuth access token. I'm attaching the "access_token" as parameter to the URL and send the key in the POST body. It looks right to me but I always get a 401 message back.

Is this API supposed to work with OAuth?

fjakobs commented Nov 29, 2010

I'm trying to upload a ssh key http://develop.github.com/p/users.html with and OAuth access token. I'm attaching the "access_token" as parameter to the URL and send the key in the POST body. It looks right to me but I always get a 401 message back.

Is this API supposed to work with OAuth?

@atmos

This comment has been minimized.

Show comment
Hide comment
@atmos

atmos Nov 30, 2010

@fjakobs We don't support uploading user's ssh keys with OAuth right now. At this point we're unsure if we'll ever add that feature to the API. Uploading deploy keys does work however.

atmos commented Nov 30, 2010

@fjakobs We don't support uploading user's ssh keys with OAuth right now. At this point we're unsure if we'll ever add that feature to the API. Uploading deploy keys does work however.

@fjakobs

This comment has been minimized.

Show comment
Hide comment
@fjakobs

fjakobs Dec 1, 2010

@atmos thanks for the information. Though I think uploading deploy keys has the same security implications as uploading public keys. Both give you read/write access to any repository. Either both should be allowed or both disallowed. What about adding an SSH OAuth scope?

fjakobs commented Dec 1, 2010

@atmos thanks for the information. Though I think uploading deploy keys has the same security implications as uploading public keys. Both give you read/write access to any repository. Either both should be allowed or both disallowed. What about adding an SSH OAuth scope?

@technoweenie

This comment has been minimized.

Show comment
Hide comment
@technoweenie

technoweenie Dec 1, 2010

@kjakobs: Ah you're totally right about deploy keys! I thought they were readonly for some reason. I'll be removing them today.

I'm not sure we'll ever add support for key management in OAuth:

  • You rarely have to update keys.
  • Keys will be a thing of the past when Smart HTTP support in Git improves.
Owner

technoweenie commented Dec 1, 2010

@kjakobs: Ah you're totally right about deploy keys! I thought they were readonly for some reason. I'll be removing them today.

I'm not sure we'll ever add support for key management in OAuth:

  • You rarely have to update keys.
  • Keys will be a thing of the past when Smart HTTP support in Git improves.
@foca

This comment has been minimized.

Show comment
Hide comment
@foca

foca Dec 1, 2010

Noooooooooo!!!! :)

We're actually using OAuth to add deploy keys (and hopefully post-receive hooks, if Corey finds the time for that). Could you leave them there? :)

Once they are a thing of the past and there's an alternative, I'd be glad to transition to something different, but I would rather minimize the steps users have to go through, if possible :)

Cheers

foca commented Dec 1, 2010

Noooooooooo!!!! :)

We're actually using OAuth to add deploy keys (and hopefully post-receive hooks, if Corey finds the time for that). Could you leave them there? :)

Once they are a thing of the past and there's an alternative, I'd be glad to transition to something different, but I would rather minimize the steps users have to go through, if possible :)

Cheers

@technoweenie

This comment has been minimized.

Show comment
Hide comment
@technoweenie

technoweenie Dec 1, 2010

Blah, I just realized the API lets you modify org teams and repo collaborators, so any discussion on public key is probably moot.

Owner

technoweenie commented Dec 1, 2010

Blah, I just realized the API lets you modify org teams and repo collaborators, so any discussion on public key is probably moot.

@fjakobs

This comment has been minimized.

Show comment
Hide comment
@fjakobs

fjakobs Dec 1, 2010

What about reading public keys? It would be incredibly useful for us to be able to check if the user has already uploaded the key manually.

fjakobs commented Dec 1, 2010

What about reading public keys? It would be incredibly useful for us to be able to check if the user has already uploaded the key manually.

@oyvindkinsey

This comment has been minimized.

Show comment
Hide comment
@oyvindkinsey

oyvindkinsey Jan 18, 2011

How can I revoke the applications access? I know this is beta, but still, you need to provide us with a way to let the users revoke access.
Edit: Just realized you can do this under 'connections' - this could be clearer.

oyvindkinsey commented Jan 18, 2011

How can I revoke the applications access? I know this is beta, but still, you need to provide us with a way to let the users revoke access.
Edit: Just realized you can do this under 'connections' - this could be clearer.

@technoweenie

This comment has been minimized.

Show comment
Hide comment
@technoweenie

technoweenie Jan 26, 2011

I just added the gist scope for creating gists, and support for accessing git objects on private repos.

Owner

technoweenie commented Jan 26, 2011

I just added the gist scope for creating gists, and support for accessing git objects on private repos.

@jed

This comment has been minimized.

Show comment
Hide comment
@jed

jed Jan 27, 2011

so is there an API for writing to gists now?

Create a gist is Coming soon on http://develop.github.com/p/gist.html

jed commented Jan 27, 2011

so is there an API for writing to gists now?

Create a gist is Coming soon on http://develop.github.com/p/gist.html

@technoweenie

This comment has been minimized.

Show comment
Hide comment
@technoweenie

technoweenie Jan 27, 2011

Oh, I guess whoever added it never updated the docs. Just post to https://github.com/api/v1/json/new with the same fields as the web form. It's kind of weird, so maybe that's why it's not public yet :)

Owner

technoweenie commented Jan 27, 2011

Oh, I guess whoever added it never updated the docs. Just post to https://github.com/api/v1/json/new with the same fields as the web form. It's kind of weird, so maybe that's why it's not public yet :)

@thallgren

This comment has been minimized.

Show comment
Hide comment
@thallgren

thallgren Feb 1, 2011

I would like to pull and push repositories using the access token that I get from OAuth so that the user doesn't have to trust our service with key-pairs. Will that ever be possible? At present I guess I need to create and deploy a key-pair on the users behalf and then store the private key in a safe place. The deploy method is
marked deprecated though, and that makes me a bit worried.

What does the future look like for services that want to push on behalf of a user?

thallgren commented Feb 1, 2011

I would like to pull and push repositories using the access token that I get from OAuth so that the user doesn't have to trust our service with key-pairs. Will that ever be possible? At present I guess I need to create and deploy a key-pair on the users behalf and then store the private key in a safe place. The deploy method is
marked deprecated though, and that makes me a bit worried.

What does the future look like for services that want to push on behalf of a user?

@technoweenie

This comment has been minimized.

Show comment
Hide comment
@technoweenie

technoweenie Feb 1, 2011

File a support issue if you have any more questions about OAuth and the API.

Owner

technoweenie commented Feb 1, 2011

File a support issue if you have any more questions about OAuth and the API.

@bassemZohdy

This comment has been minimized.

Show comment
Hide comment
@bassemZohdy

bassemZohdy May 4, 2013

what is the expires_in of the GitHub token

bassemZohdy commented May 4, 2013

what is the expires_in of the GitHub token

@antn

This comment has been minimized.

Show comment
Hide comment
@antn

antn commented Jul 8, 2013

The "register their application" link should point to https://github.com/settings/applications/new, not https://github.com/account/applications/new.

@w1150n

This comment has been minimized.

Show comment
Hide comment
@w1150n

w1150n Jul 25, 2013

When will we be able to only grant access to specific private repos? Exposing access to all private repos is a deal-killer for us.

w1150n commented Jul 25, 2013

When will we be able to only grant access to specific private repos? Exposing access to all private repos is a deal-killer for us.

@juansalas

This comment has been minimized.

Show comment
Hide comment
@juansalas

juansalas Jul 26, 2013

Yes, agree with w1150n. Is there any way to select private repos or at least provide a read-only permission for private repos ?? Thanks!

juansalas commented Jul 26, 2013

Yes, agree with w1150n. Is there any way to select private repos or at least provide a read-only permission for private repos ?? Thanks!

@jperl

This comment has been minimized.

Show comment
Hide comment
@jperl

jperl Jul 27, 2013

+1 read-only specific private repo

jperl commented Jul 27, 2013

+1 read-only specific private repo

@Zeokat

This comment has been minimized.

Show comment
Hide comment
@Zeokat

Zeokat Mar 5, 2014

Zeokat says, thanks for the code. Deal with Oauth is oauughrrg.

Zeokat commented Mar 5, 2014

Zeokat says, thanks for the code. Deal with Oauth is oauughrrg.

@jasonhargrove

This comment has been minimized.

Show comment
Hide comment
@jasonhargrove

jasonhargrove Jul 2, 2014

+1 specified repos

jasonhargrove commented Jul 2, 2014

+1 specified repos

@Malabarba

This comment has been minimized.

Show comment
Hide comment
@Malabarba

Malabarba Jul 22, 2015

Has the workflow changed recently? Trying to post on https://github.com/login/oauth/access_token only gives me a Not Found error.

Malabarba commented Jul 22, 2015

Has the workflow changed recently? Trying to post on https://github.com/login/oauth/access_token only gives me a Not Found error.

@dkhmelenko

This comment has been minimized.

Show comment
Hide comment
@dkhmelenko

dkhmelenko Aug 5, 2015

Same for me. Receive Not Found when trying to post on https://github.com/login/oauth/access_token. Does anybody know the reason?

dkhmelenko commented Aug 5, 2015

Same for me. Receive Not Found when trying to post on https://github.com/login/oauth/access_token. Does anybody know the reason?

@fallanic

This comment has been minimized.

Show comment
Hide comment
@fallanic

fallanic Jan 20, 2016

+1 read-only private repo

fallanic commented Jan 20, 2016

+1 read-only private repo

@masud-technope

This comment has been minimized.

Show comment
Hide comment
@masud-technope

masud-technope Apr 3, 2016

Is the Javascript flow available now? It was much needed for me.

masud-technope commented Apr 3, 2016

Is the Javascript flow available now? It was much needed for me.

@luizkowalski

This comment has been minimized.

Show comment
Hide comment
@luizkowalski

luizkowalski Aug 1, 2016

+1 for javascript flow

luizkowalski commented Aug 1, 2016

+1 for javascript flow

@chadwithuhc

This comment has been minimized.

Show comment
Hide comment
@chadwithuhc

chadwithuhc Nov 12, 2016

For those getting 404 errors:

I had the same problem and ended up here. This was a solution to my problem:

function requestGithubToken(options, code) {
  let data = new FormData()
  data.append('client_id', options.client_id)
  data.append('client_secret', options.client_secret)
  data.append('code', code)
  
  fetch(`https://github.com/login/oauth/access_token`, {
    method: 'POST',
    body: data
  })
  .then((response) => {
    return response.text()
  })
  .then((paramsString) => {
    let params = new URLSearchParams(paramsString)
    console.log('access_token', params.get('access_token'))
  });
}

Part of the problem was my data was sent as JSON and not FormData. Then dealing with the response I had to use URLSearchParams to pull out the access token.

chadwithuhc commented Nov 12, 2016

For those getting 404 errors:

I had the same problem and ended up here. This was a solution to my problem:

function requestGithubToken(options, code) {
  let data = new FormData()
  data.append('client_id', options.client_id)
  data.append('client_secret', options.client_secret)
  data.append('code', code)
  
  fetch(`https://github.com/login/oauth/access_token`, {
    method: 'POST',
    body: data
  })
  .then((response) => {
    return response.text()
  })
  .then((paramsString) => {
    let params = new URLSearchParams(paramsString)
    console.log('access_token', params.get('access_token'))
  });
}

Part of the problem was my data was sent as JSON and not FormData. Then dealing with the response I had to use URLSearchParams to pull out the access token.

@nathandunn

This comment has been minimized.

Show comment
Hide comment
@nathandunn

nathandunn Nov 22, 2016

+1 for sending as FormData instead of JSON. That should be more prevalent in the doc since everything else I seem to send it encoded JSON.

nathandunn commented Nov 22, 2016

+1 for sending as FormData instead of JSON. That should be more prevalent in the doc since everything else I seem to send it encoded JSON.

@lakesare

This comment has been minimized.

Show comment
Hide comment
@lakesare

lakesare Jan 29, 2017

@chadwithuhc, ugh, thank you, spent a few hours on this (was sending JSON.stringify data too). this should most certainly be somewhere in docs.
FormData worked.

lakesare commented Jan 29, 2017

@chadwithuhc, ugh, thank you, spent a few hours on this (was sending JSON.stringify data too). this should most certainly be somewhere in docs.
FormData worked.

@McaDipali

This comment has been minimized.

Show comment
Hide comment
@McaDipali

McaDipali Mar 24, 2017

hey nice post but i want to ask something....
imagine that there are admin & client two user of application
admin set up client id and secrete for application then who will set the scope of the token
i mean admin or client ?

McaDipali commented Mar 24, 2017

hey nice post but i want to ask something....
imagine that there are admin & client two user of application
admin set up client id and secrete for application then who will set the scope of the token
i mean admin or client ?

@srph

This comment has been minimized.

Show comment
Hide comment
@srph

srph Jul 14, 2017

The FormData workaround for POST to https://github.com/login/oauth/access_token doesn't seem to be working anymore - still getting a 404 pre-flight response. Any ideas why?

srph commented Jul 14, 2017

The FormData workaround for POST to https://github.com/login/oauth/access_token doesn't seem to be working anymore - still getting a 404 pre-flight response. Any ideas why?

@roydekleijn

This comment has been minimized.

Show comment
Hide comment
@roydekleijn

roydekleijn Aug 5, 2017

jeah... having the same on the preflight... like to know the solution

roydekleijn commented Aug 5, 2017

jeah... having the same on the preflight... like to know the solution

@brianmcallister

This comment has been minimized.

Show comment
Hide comment
@brianmcallister

brianmcallister Sep 24, 2017

Remember to set the header Content-Type: application/json if you want to send JSON data.

brianmcallister commented Sep 24, 2017

Remember to set the header Content-Type: application/json if you want to send JSON data.

@tscanlin

This comment has been minimized.

Show comment
Hide comment
@tscanlin

tscanlin Oct 3, 2017

^ Thank you!

Add accept headers to get JSON back too

headers: {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
},

tscanlin commented Oct 3, 2017

^ Thank you!

Add accept headers to get JSON back too

headers: {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
},
@henrysoftware6

This comment has been minimized.

Show comment
Hide comment
@henrysoftware6

henrysoftware6 May 8, 2018

I'm trying to do a rest api get request with

henrysoftware6 commented May 8, 2018

I'm trying to do a rest api get request with

@henrysoftware6

This comment has been minimized.

Show comment
Hide comment
@henrysoftware6

henrysoftware6 May 8, 2018

I'm trying to do a rest api get request with
https://github.com/login/oauth/authorize?client_id=**********&redirect_uri=http://localhost:****. but I don't see any Code in my Get response, where can I find my "Code" in the GET response?

henrysoftware6 commented May 8, 2018

I'm trying to do a rest api get request with
https://github.com/login/oauth/authorize?client_id=**********&redirect_uri=http://localhost:****. but I don't see any Code in my Get response, where can I find my "Code" in the GET response?

@msudgh

This comment has been minimized.

Show comment
Hide comment
@msudgh

msudgh Jul 8, 2018

Is it right to use client_secret in a open source project which is visible for everyone? or have security concerns for OAuth apps? @technoweenie

msudgh commented Jul 8, 2018

Is it right to use client_secret in a open source project which is visible for everyone? or have security concerns for OAuth apps? @technoweenie

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment