GitHub Enterprise Server's OAuth implementation supports the standard authorization code grant type and the OAuth 2.0 Device Authorization Grant for apps that don't have access to a web browser.
If you want to skip authorizing your app in the standard way, such as when testing your app, you can use the non-web application flow.
To authorize your OAuth app, consider which authorization flow best fits your app.
- web application flow: Used to authorize users for standard OAuth apps that run in the browser. (The implicit grant type is not supported.)
Web application flow
Note: If you are building a GitHub App, you can still use the OAuth web application flow, but the setup has some important differences. See "Identifying and authorizing users for GitHub Apps" for more information.
The web application flow to authorize users for your app is:
- Users are redirected to request their GitHub identity
- Users are redirected back to your site by GitHub
- Your app accesses the API with the user's access token
1. Request a user's GitHub identity
GET http(s)://[hostname]/login/oauth/authorize
When your GitHub App specifies a login
parameter, it prompts users with a specific account they can use for signing in and authorizing your app.
Parameters
Name | Type | Description |
---|---|---|
client_id | string | Required. The client ID you received from GitHub when you registered. |
redirect_uri | string | The URL in your application where users will be sent after authorization. See details below about redirect urls. |
login | string | Suggests a specific account to use for signing in and authorizing the app. |
scope | string | A space-delimited list of scopes. If not provided, scope defaults to an empty list for users that have not authorized any scopes for the application. For users who have authorized scopes for the application, the user won't be shown the OAuth authorization page with the list of scopes. Instead, this step of the flow will automatically complete with the set of scopes the user has authorized for the application. For example, if a user has already performed the web flow twice and has authorized one token with user scope and another token with repo scope, a third web flow that does not provide a scope will receive a token with user and repo scope. |
state | string | An unguessable random string. It is used to protect against cross-site request forgery attacks. |
allow_signup | string | Whether or not unauthenticated users will be offered an option to sign up for GitHub during the OAuth flow. The default is true . Use false when a policy prohibits signups. |
2. Users are redirected back to your site by GitHub
If the user accepts your request, GitHub Enterprise Server redirects back to your site with a temporary code
in a code parameter as well as the state you provided in the previous step in a state
parameter. The temporary code will expire after 10 minutes. If the states don't match, then a third party created the request, and you should abort the process.
Exchange this code
for an access token:
POST http(s)://[hostname]/login/oauth/access_token
Parameters
Name | Type | Description |
---|---|---|
client_id | string | Required. The client ID you received from GitHub Enterprise Server for your OAuth App. |
client_secret | string | Required. The client secret you received from GitHub Enterprise Server for your OAuth App. |
code | string | Required. The code you received as a response to Step 1. |
redirect_uri | string | The URL in your application where users are sent after authorization. |
Response
By default, the response takes the following form:
access_token=e72e16c7e42f292c6912e7710c838347ae178b4a&scope=repo%2Cgist&token_type=bearer
You can also receive the response in different formats if you provide the format in the Accept
header. For example, Accept: application/json
or Accept: application/xml
:
Accept: application/json
{
"access_token":"e72e16c7e42f292c6912e7710c838347ae178b4a",
"scope":"repo,gist",
"token_type":"bearer"
}
Accept: application/xml
<OAuth>
<token_type>bearer</token_type>
<scope>repo,gist</scope>
<access_token>e72e16c7e42f292c6912e7710c838347ae178b4a</access_token>
</OAuth>
3. Use the access token to access the API
The access token allows you to make requests to the API on a behalf of a user.
Authorization: token OAUTH-TOKEN
GET http(s)://[hostname]/api/v3/user
For example, in curl you can set the Authorization header like this:
curl -H "Authorization: token OAUTH-TOKEN" http(s)://[hostname]/api/v3/user
Non-Web application flow
Non-web authentication is available for limited situations like testing. If you need to, you can use Basic Authentication to create a personal access token using your Personal access tokens settings page. This technique enables the user to revoke access at any time.
Note: When using the non-web application flow to create an OAuth2 token, make sure to understand how to work with two-factor authentication if you or your users have two-factor authentication enabled.
Redirect URLs
The redirect_uri
parameter is optional. If left out, GitHub will
redirect users to the callback URL configured in the OAuth Application
settings. If provided, the redirect URL's host and port must exactly
match the callback URL. The redirect URL's path must reference a
subdirectory of the callback URL.
CALLBACK: http://example.com/path
GOOD: http://example.com/path
GOOD: http://example.com/path/subdir/other
BAD: http://example.com/bar
BAD: http://example.com/
BAD: http://example.com:8080/path
BAD: http://oauth.example.com:8080/path
BAD: http://example.org
Localhost redirect urls
The optional redirect_uri
parameter can also be used for localhost URLs. If the application specifies a localhost URL and a port, then after authorizing the application users will be redirected to the provided URL and port. The redirect_uri
does not need to match the port specified in the callback url for the app.
For the http://localhost/path
callback URL, you can use this redirect_uri
:
http://localhost:1234/path
Creating multiple tokens for OAuth Apps
You can create multiple tokens for a user/application/scope combination to create tokens for specific use cases.
This is useful if your OAuth App supports one workflow that uses GitHub for sign-in and only requires basic user information. Another workflow may require access to a user's private repositories. Using multiple tokens, your OAuth App can perform the web flow for each use case, requesting only the scopes needed. If a user only uses your application to sign in, they are never required to grant your OAuth App access to their private repositories.
There is a limit of ten tokens that are issued per user/application/scope combination. If an application creates more than 10 tokens for the same user and the same scopes, the oldest tokens with the same user/application/scope combination will be revoked.
Warning: Revoking all permission from an OAuth App deletes any SSH keys the application generated on behalf of the user, including deploy keys.
Directing users to review their access
You can link to authorization information for an OAuth App so that users can review and revoke their application authorizations.
To build this link, you'll need your OAuth Apps client_id
that you received from GitHub when you registered the application.
http(s)://[hostname]/settings/connections/applications/:client_id
Tip: To learn more about the resources that your OAuth App can access for a user, see "Discovering resources for a user."
Troubleshooting
- "Troubleshooting authorization request errors"
- "Troubleshooting OAuth App access token request errors"