Getting "OAuth App access restrictions" for GraphQL mutations but not same V3 action

Been scratching my head for a while with this one. I have an iOS app that connects to the GitHub API through a mix of V3 and GraphQL requests. I’ve been getting reports of error messages like:

Although you appear to have the correct authorization credentials,
the `babel` organization has enabled OAuth App access restrictions, meaning that data
access to third-parties is limited. For more information on these restrictions, including
how to whitelist this app, visit
https://help.github.com/articles/restricting-access-to-your-organization-s-data/

If I send the following GraphQL mutation with a custom Personal Access Token with user, repo, and notifications:

mutation {
  addReaction(input: {subjectId: "MDU6SXNzdWUzNzcxODQ3NTg=", content: HEART}) {
    subject {
      viewerCanReact
      id
    }
  }
}

It’ll work just fine. However, if I use a token from our app’s Basic OAuth flow, I get the FORBIDDEN error above.

Now where this gets funky is if I send a V3 Reaction request with the  same tokens , they both work! :confused:

Is there something I’m missing with authentication in our app? Or misunderstanding auth with the GraphQL API?

You can see all of the research we did on this issue here.

HI @rnystrom,

The GraphQL mutation works because you are using a personal access token. A personal access token is associated with a user, and a user isn’t subject to OAuth app access restrictions.

However, if I use a token from our app’s Basic OAuth flow, I get the FORBIDDEN error above.

 

This is expected, though admittedly confusing behavior. The babel organization has OAuth App access restrictions enabled:

https://help.github.com/articles/about-oauth-app-access-restrictions/

Because this feature is enabled, only owner-approved OAuth Apps can access the organization’s resources. In this case, Ryan’s application, GitHawk, needs to be listed as one of babel's approved OAuth applications. Our documentation team wrote a guide for organization members to request an owner approve access to org resources for an OAuth App as well as the actual approval process for the owner here:

Your research on this was very insightful! If you’d like us to research further how the calls were made, please send a curl  -v output showcasing the full request-response pair to support@github.com (remember to obfuscate or redact any sensitive information (authorization headers, tokens) so we can take a look!

Best,

Andrea

1 Like

Hey @andreagriffiths11! Thanks for the reply. I think that this makes sense as to why the GraphQL API has auth restrictions, but that doesn’t explain why the V3 Reaction request (the exact same mutation but w/ the V3 API)  does work with the basic OAuth token.

If an organization has restrictions, shouldn’t both APIs behave similar for the exact same mutation?

Thanks!

1 Like

I’m having the exact same issue when I’m trying to browse through my private repo, with github explorer: https://developer.github.com/v4/explorer/

Is it possible to grant explorer access to my private repo?  GitHub doesn’t show up in the mentioned list in any way.

Never mind, I wasn’t looking. I needed to authorize trough my personal account, not through the organization. A little confusing, but makes sense if you think about it.