Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Copilot Lvl 2
Message 1 of 4

Getting "OAuth App access restrictions" for GraphQL mutations but not same V3 action

Solved! Go to Solution.

Been scratching my head for a while with this one. I have an iOS app that connects to the GitHub API through a mix of V3 and GraphQL requests. I've been getting reports of error messages like:

 

Although you appear to have the correct authorization credentials,
the `babel` organization has enabled OAuth App access restrictions, meaning that data
access to third-parties is limited. For more information on these restrictions, including
how to whitelist this app, visit
https://help.github.com/articles/restricting-access-to-your-organization-s-data/

 

If I send the following GraphQL mutation with a custom Personal Access Token with user, repo, and notifications:

mutation {
  addReaction(input: {subjectId: "MDU6SXNzdWUzNzcxODQ3NTg=", content: HEART}) {
    subject {
      viewerCanReact
      id
    }
  }
}

 

It'll work just fine. However, if I use a token from our app's Basic OAuth flow, I get the FORBIDDEN error above.

 

Now where this gets funky is if I send a V3 Reaction request with the same tokens, they both work! 😕

 

Is there something I'm missing with authentication in our app? Or misunderstanding auth with the GraphQL API?

 

You can see all of the research we did on this issue here.

3 Replies
Solution
Community Manager
Message 2 of 4

Re: Getting "OAuth App access restrictions" for GraphQL mutations but not same V3 action

HI @rnystrom,

 

The GraphQL mutation works because you are using a personal access token. A personal access token is associated with a user, and a user isn't subject to OAuth app access restrictions.

 

However, if I use a token from our app's Basic OAuth flow, I get the FORBIDDEN error above.

 

This is expected, though admittedly confusing behavior. The babel organization has OAuth App access restrictions enabled:

 

https://help.github.com/articles/about-oauth-app-access-restrictions/

 

Because this feature is enabled, only owner-approved OAuth Apps can access the organization's resources. In this case, Ryan's application, GitHawk, needs to be listed as one of babel's approved OAuth applications. Our documentation team wrote a guide for organization members to request an owner approve access to org resources for an OAuth App as well as the actual approval process for the owner here:

 

 

Your research on this was very insightful! If you'd like us to research further how the calls were made, please send a `curl  -v` output showcasing the full request-response pair to support@github.com (remember to obfuscate or redact any sensitive information (authorization headers, tokens) so we can take a look!

 

Best,

Andrea

Mark helpful posts with Accept as Solution to help other users locate important info. Don't forget to give Kudos for great content!

Copilot Lvl 2
Message 3 of 4

Re: Getting "OAuth App access restrictions" for GraphQL mutations but not same V3 action

Hey @AndreaGriffiths11! Thanks for the reply. I think that this makes sense as to why the GraphQL API has auth restrictions, but that doesn't explain why the V3 Reaction request (the exact same mutation but w/ the V3 API) does work with the basic OAuth token.

 

If an organization has restrictions, shouldn't both APIs behave similar for the exact same mutation?

 

Thanks!

Ground Controller Lvl 1
Message 4 of 4

Re: Getting "OAuth App access restrictions" for GraphQL mutations but not same V3 action

I'm having the exact same issue when I'm trying to browse through my private repo, with github explorer: https://developer.github.com/v4/explorer/

 

Is it possible to grant explorer access to my private repo?  GitHub doesn't show up in the mentioned list in any way.

 

Never mind, I wasn't looking. I needed to authorize trough my personal account, not through the organization. A little confusing, but makes sense if you think about it.