Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Copilot Lvl 2
Message 1 of 3

Getting "OAuth App access restrictions" for GraphQL mutations but not same V3 action

Solved! Go to Solution.

Been scratching my head for a while with this one. I have an iOS app that connects to the GitHub API through a mix of V3 and GraphQL requests. I've been getting reports of error messages like:

 

Although you appear to have the correct authorization credentials,
the `babel` organization has enabled OAuth App access restrictions, meaning that data
access to third-parties is limited. For more information on these restrictions, including
how to whitelist this app, visit
https://help.github.com/articles/restricting-access-to-your-organization-s-data/

 

If I send the following GraphQL mutation with a custom Personal Access Token with user, repo, and notifications:

mutation {
  addReaction(input: {subjectId: "MDU6SXNzdWUzNzcxODQ3NTg=", content: HEART}) {
    subject {
      viewerCanReact
      id
    }
  }
}

 

It'll work just fine. However, if I use a token from our app's Basic OAuth flow, I get the FORBIDDEN error above.

 

Now where this gets funky is if I send a V3 Reaction request with the same tokens, they both work! 😕

 

Is there something I'm missing with authentication in our app? Or misunderstanding auth with the GraphQL API?

 

You can see all of the research we did on this issue here.

2 Replies
Solution
Community Manager
Message 2 of 3

Re: Getting "OAuth App access restrictions" for GraphQL mutations but not same V3 action

HI @rnystrom,

 

The GraphQL mutation works because you are using a personal access token. A personal access token is associated with a user, and a user isn't subject to OAuth app access restrictions.

 

However, if I use a token from our app's Basic OAuth flow, I get the FORBIDDEN error above.

 

This is expected, though admittedly confusing behavior. The babel organization has OAuth App access restrictions enabled:

 

https://help.github.com/articles/about-oauth-app-access-restrictions/

 

Because this feature is enabled, only owner-approved OAuth Apps can access the organization's resources. In this case, Ryan's application, GitHawk, needs to be listed as one of babel's approved OAuth applications. Our documentation team wrote a guide for organization members to request an owner approve access to org resources for an OAuth App as well as the actual approval process for the owner here:

 

 

Your research on this was very insightful! If you'd like us to research further how the calls were made, please send a `curl  -v` output showcasing the full request-response pair to support@github.com (remember to obfuscate or redact any sensitive information (authorization headers, tokens) so we can take a look!

 

Best,

Andrea

Mark helpful posts with Accept as Solution to help other users locate important info. Don't forget to give Kudos for great content!

Copilot Lvl 2
Message 3 of 3

Re: Getting "OAuth App access restrictions" for GraphQL mutations but not same V3 action

Hey @AndreaGriffiths11! Thanks for the reply. I think that this makes sense as to why the GraphQL API has auth restrictions, but that doesn't explain why the V3 Reaction request (the exact same mutation but w/ the V3 API) does work with the basic OAuth token.

 

If an organization has restrictions, shouldn't both APIs behave similar for the exact same mutation?

 

Thanks!