jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-23 03:44:00 -05:00
Code Issues Projects Releases Wiki Activity
Files
38a4ffb373f95f79543f1d34ec4bcd3debbf5bb1
docs/content/developers/apps/building-github-apps/refreshing-user-to-server-access-tokens.md
Hector Alfaro 95e6f3d3ab Deprecate GHES 3.1 (#28798) 
* add 3.1 to deprecated versions

* rewrite img src to use azure blob storage in archive script

Co-authored-by: rachmari <rachmari@users.noreply.github.com>

* remove static files for ghes 3.1

* remove liquid conditionals and content for ghes 3.1

* remove outdated hardware reqs reusable

* Fix liquid conditional uncaught by script

* Close liquid conditionals missed by script

* Apply @mattpollard's suggestions

Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com>

Co-authored-by: rachmari <rachmari@users.noreply.github.com>
Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com>
2022-07-11 21:17:09 +00:00

82 lines
4.9 KiB
Markdown
Raw Blame History

---
title: Refreshing user-to-server access tokens
intro: 'To enforce regular token rotation and reduce the impact of a compromised token, you can configure your {% data variables.product.prodname_github_app %} to use expiring user access tokens.'
redirect_from:
- /apps/building-github-apps/refreshing-user-to-server-access-tokens
- /developers/apps/refreshing-user-to-server-access-tokens
versions:
fpt: '*'
ghes: '*'
ghae: '*'
ghec: '*'
topics:
- GitHub Apps
shortTitle: Refresh user-to-server access
---
{% data reusables.pre-release-program.expiring-user-access-tokens %}
## About expiring user access tokens
To enforce regular token rotation and reduce the impact of a compromised token, you can configure your {% data variables.product.prodname_github_app %} to use expiring user access tokens. For more information on making user-to-server requests, see "[Identifying and authorizing users for GitHub Apps](/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps/)."
Expiring user tokens expire after 8 hours. When you receive a new user-to-server access token, the response will also contain a refresh token, which can be exchanged for a new user token and refresh token. Refresh tokens are valid for 6 months.
## Renewing a user token with a refresh token
To renew an expiring user-to-server access token, you can exchange the `refresh_token` for a new access token and `refresh_token`.
`POST https://github.com/login/oauth/access_token`
This callback request will send you a new access token and a new refresh token. This callback request is similar to the OAuth request you would use to exchange a temporary `code` for an access token. For more information, see "[Identifying and authorizing users for GitHub Apps](/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps/#2-users-are-redirected-back-to-your-site-by-github)" and "[Basics of authentication](/rest/guides/basics-of-authentication#providing-a-callback)."
### Parameters
Name | Type | Description
-----|------|------------
`refresh_token` | `string` | **Required.** The token generated when the {% data variables.product.prodname_github_app %} owner enables expiring tokens and issues a new user access token.
`grant_type` | `string` | **Required.** Value must be `refresh_token` (required by the OAuth specification).
`client_id` | `string` | **Required.** The client ID for your {% data variables.product.prodname_github_app %}.
`client_secret` | `string` | **Required.** The client secret for your {% data variables.product.prodname_github_app %}.
### Response
```json
{
"access_token": "ghu_16C7e42F292c6912E7710c838347Ae178B4a",
"expires_in": "28800",
"refresh_token": "ghr_1B4a2e77838347a7E420ce178F2E7c6912E169246c34E1ccbF66C46812d16D5B1A9Dc86A1498",
"refresh_token_expires_in": "15811200",
"scope": "",
"token_type": "bearer"
}
```
## Configuring expiring user tokens for an existing GitHub App
You can enable or disable expiring user-to-server authorization tokens from your {% data variables.product.prodname_github_app %} settings.
{% data reusables.user-settings.access_settings %}
{% data reusables.user-settings.developer_settings %}
{% data reusables.user-settings.github_apps %}
4. Click **Edit** next to your chosen {% data variables.product.prodname_github_app %}.
![Settings to edit a GitHub App](/assets/images/github-apps/edit-test-app.png)
5. In the left sidebar, click **Optional Features**.
![Optional features tab](/assets/images/github-apps/optional-features-option.png)
6. Next to "User-to-server token expiration", click **Opt-in** or **Opt-out**. This setting may take a couple of seconds to apply.
## Opting out of expiring tokens for new GitHub Apps
When you create a new {% data variables.product.prodname_github_app %}, by default your app will use expiring user-to-server access tokens.
If you want your app to use non-expiring user-to-server access tokens, you can deselect "Expire user authorization tokens" on the app settings page.
![Option to opt-in to expiring user tokens during GitHub Apps setup](/assets/images/github-apps/expire-user-tokens-selection.png)
Existing {% data variables.product.prodname_github_apps %} using user-to-server authorization tokens are only affected by this new flow when the app owner enables expiring user tokens for their app.
Enabling expiring user tokens for existing {% data variables.product.prodname_github_apps %} requires sending users through the OAuth flow to re-issue new user tokens that will expire in 8 hours and making a request with the refresh token to get a new access token and refresh token. For more information, see "[Identifying and authorizing users for GitHub Apps](/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps/)."
## Further reading
- "[About authentication to {% data variables.product.prodname_dotcom %}](/github/authenticating-to-github/about-authentication-to-github#githubs-token-formats)"
Reference in New Issue View Git Blame Copy Permalink