Deprecating OAuth Application API

February 14, 2020
jovel
jpemberthy
ptoomey3

As mentioned in this previous blog post, GitHub no longer supports the OAuth application endpoints and have replaced them with a version that moves the access token to the request body for improved security.

This deprecation has not been applied to GitHub Enterprise offerings yet. Please check the latest Enterprise release notes to learn when this deprecation is initiated and which version of GitHub Enterprise Server will have the OAuth Application API removed.

As an alternative to authorizing your app, you can use the web application flow or the device flow. The device flow doesn't require using the client_secret and can be used by headless apps. For more information, see "Authorizing OAuth Apps."

Deprecation timeline

Brownouts

During a brownout, calls to the old version of OAuth application endpoints will temporarily fail. The goal is to trigger alerts (assuming there are any) on our customers' services to help find unmigrated endpoint calls.

The brownouts are scheduled for:

March 17, 2021
- From 07:00 UTC to 10:00 UTC
- From 16:00 UTC to 19:00 UTC
April 14, 2021
- From 07:00 UTC to 10:00 UTC
- From 16:00 UTC to 19:00 UTC

Removal date

All calls to the old version of the OAuth application endpoints will return a status code of 404 starting on:

May 5, 2021 at 16:00 UTC

Changes to make

Using calls to OAuth Application API

If you're using the version of the OAuth Application API that includes :access_token in the path like:

curl -u my_client_id:my_client_secret -X POST "https://api.github.com/applications/123/tokens/my_access_token"

Instead, you'll need to call the new version that moves :access_token in the request body:

curl -u my_client_id:my_client_secret -X PATCH "https://api.github.com/applications/123/token -d {"access_token": "my_access_token"}"

See the list of OAuth application endpoints below that you'll need to replace with the new endpoints.

Endpoints affected

The following list of OAuth Application endpoints are deprecated and should be replaced with the new corresponding endpoints.

Deprecated Endpoint	Deprecated Path	New Endpoint	New Path
Check an authorization	`GET /applications/:client_id/tokens/:access_token`	Check a token	`POST /applications/:client_id/token`
Reset an authorization	`POST /applications/:client_id/tokens/:access_token`	Reset a token	`PATCH /applications/:client_id/token`
Revoke app authorization	`DELETE /applications/:client_id/tokens/:access_token`	Delete app token	`DELETE /applications/:client_id/token`
Revoke app grant	`DELETE /applications/:client_id/grants/:access_token`	Delete app authorization	`DELETE /applications/:client_id/grant`

If you have any questions or feedback, please let us know!