Getting "OAuth App access restrictions" for GraphQL mutations but not same V3 action #24488
-
Been scratching my head for a while with this one. I have an iOS app that connects to the GitHub API through a mix of V3 and GraphQL requests. I’ve been getting reports of error messages like:
If I send the following GraphQL mutation with a custom Personal Access Token with user, repo, and notifications:
It’ll work just fine. However, if I use a token from our app’s Basic OAuth flow, I get the FORBIDDEN error above. Now where this gets funky is if I send a V3 Reaction request with the same tokens , they both work! 😕 Is there something I’m missing with authentication in our app? Or misunderstanding auth with the GraphQL API? |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments
-
HI @rnystrom, The GraphQL mutation works because you are using a personal access token. A personal access token is associated with a user, and a user isn’t subject to OAuth app access restrictions.
This is expected, though admittedly confusing behavior. The https://help.github.com/articles/about-oauth-app-access-restrictions/ Because this feature is enabled, only owner-approved OAuth Apps can access the organization’s resources. In this case, Ryan’s application, GitHawk, needs to be listed as one of
Your research on this was very insightful! If you’d like us to research further how the calls were made, please send a Best, Andrea |
Beta Was this translation helpful? Give feedback.
-
Hey @andreagriffiths11! Thanks for the reply. I think that this makes sense as to why the GraphQL API has auth restrictions, but that doesn’t explain why the V3 Reaction request (the exact same mutation but w/ the V3 API) does work with the basic OAuth token. If an organization has restrictions, shouldn’t both APIs behave similar for the exact same mutation? Thanks! |
Beta Was this translation helpful? Give feedback.
-
I’m having the exact same issue when I’m trying to browse through my private repo, with github explorer: https://developer.github.com/v4/explorer/ Is it possible to grant explorer access to my private repo? GitHub doesn’t show up in the mentioned list in any way. Never mind, I wasn’t looking. I needed to authorize trough my personal account, not through the organization. A little confusing, but makes sense if you think about it. |
Beta Was this translation helpful? Give feedback.
HI @rnystrom,
The GraphQL mutation works because you are using a personal access token. A personal access token is associated with a user, and a user isn’t subject to OAuth app access restrictions.
This is expected, though admittedly confusing behavior. The
babel
organization has OAuth App access restrictions enabled:https://help.github.com/articles/about-oauth-app-access-restrictions/
Because this feature is enabled, only owner-approved OAuth Apps can access the organization’s resources. In this case, Ryan’s application, GitHawk, needs to be listed as one of
babel
's approved OAuth applicati…