We have an OAuth App and are creating access_tokens with the expectation that our system would periodically invoke the GitHub API without an active user. (The user authorizes our app and walks away)
Usually with OAuth Code Flow, I would expect to see a refresh_token returned from the token endpoint when I supply the code and get an access_token. The refresh_token could be used later to get access_tokens later without any user interaction. I've also seen other solutions implement something like an 'offline_access' scope which lets the system know I need a refresh_token or to extend the access_token expiry. GitHub has not mentioned in their documenation and doesn't seem to provide a refresh_token, and the access_token seems to expire after about a day. If I needed to call the API daily, I would have to keep re-engaging with the user daily to authorize and this is not desirable.
What is the best practice for managing 'offline access' in GitHub?
Is there a way to get a refresh_token?
Is there a way to extend the expiry of the access_tokens I do get?
Solved! Solved! Go to Solution.
Below is the answer I recieved from GitHub support. So I guess there is something on my side that I've missed.
GitHub's OAuth tokens don't expire after some specific period since they've been created (and refresh tokens aren't used currently, because of that). However, there are several reasons why a valid token might become invalid: