- December 8, 2014
Since OAuth access tokens function like passwords, they should be treated with
care. Today we are making it easier to more securely work with authorizations
via the Authorizations API. We are deprecating the use of the
attribute in the majority of the Authorizations API
responses. For the affected APIs, the
token attribute will soon return an empty string. To get ready for that
change, we are giving developers a chance to
preview the updated API starting today.
The current OAuth Authorizations API requires GitHub to store the full value for each OAuth token on our servers. In order to increase the security for our users, we are changing our architecture to store the SHA-256 digest of OAuth tokens instead. GitHub securely hashes user passwords using bcrypt and we want to provide comparable security for OAuth tokens as well.
Rest assured that this change is an entirely proactive measure from GitHub and is not associated with any security incident.
This change affects any code that relies on accessing the
token attribute from
these OAuth Authorizations API responses.
For example, our own GitHub for Mac and
GitHub for Windows applications relied on reading the
from the Get-or-create an authorization for a specific app API, in order to support multiple installations of our desktop application for a single user.
In order to reduce the impact of removing the
token attribute, the OAuth
Authorizations API has added a new request attribute (
three new response attributes (
fingerprint), and added one new API.
While these new APIs and attributes do not replace the full functionality that
previously existed, they can be used in place of
token for most common use cases.
token_last_eightreturns the last eight characters of the associated OAuth token. As an example,
token_last_eightcould be used to display a list of partial token values to help a user manage their OAuth tokens.
hashed_tokenis the base64 of the SHA-256 digest of the token.
hashed_tokencould be used to programmatically validate that a given token matches an authorization returned by the API.
fingerprintis a new optional request parameter that allows an OAuth application to create multiple authorizations for a single user.
fingerprintshould be a string that distinguishes the new authorization from others for the same client ID and user.
For example, to differentiate installations of a desktop application across multiple devices you might set
SHA256_HEXDIGEST("GitHub for Mac - MAC_ADDRESS_OF_MACHINE"). Since
fingerprintis not meant to be a user-facing value, you should still set the
noteattribute to help a user differentiate between authorizations on their OAuth applications listing on GitHub.
Get-or-create an authorization for a specific app and fingerprint is a new API that is analogous to the Get-or-create an authorization for a specific app API, but adds support for the new
We are making the new Authorizations API available today for developers to preview. During this period, we may change aspects of these endpoints. If we do, we will announce the changes on the developer blog, but we will not provide any advance notice.
While these new APIs are in their preview period, you’ll need to provide the following custom media type in the Accept header:
We expect the preview period to last 4-6 weeks. (Stay tuned to the developer blog for updates.) At the end of the preview period, these changes will become an official and stable part of GitHub API.
At the end of the preview period, we will announce the start of a migration period. Developers will have 8 weeks to update existing code to use the new APIs.
Some users may be curious why we are not using bcrypt to hash our OAuth tokens like we do for user passwords. Bcrypt is purposefully computationally expensive in order to mitigate brute force attacks against low entropy passwords. However, OAuth tokens are highly random and are not susceptible to brute force attacks. Given that OAuth token validation occurs for each request to the API we chose SHA-256 for performance reasons.
If you have any questions or feedback, please drop us a line.
- Changes to maximum webhook timeout period
September 12, 2017
- Protected Branches API Becomes an Official Part of API v3
September 6, 2017
- Breaking changes to projects API preview and webhook date format
September 1, 2017
- Preview the new Nested Teams APIs
August 30, 2017
- Repository Invitations API is now official
August 23, 2017
- Helium and GitHub partner to streamline connected hardware development
August 17, 2017
- Breaking changes to creating webhooks via the API
August 9, 2017
- Preview team review requests API
July 26, 2017