How to use Github API to revoke OAuth authentication?

Question

Here is the code I'm using, but I keep getting a 403 error in response.

let username = "CLIENT_ID_GOES_HERE";
let password = "SECRET_GOES_HERE";
let basicAuth = Buffer.from(`${username}:${password}`).toString('base64');

try {
    response = await axios.delete(`https://github.com/applications/${clientId}/grant`, 
    {
        headers: {
            'Authorization': `Basic ${basicAuth}`,
            'Accept': 'application/vnd.github.v3+json',
        },
        data: {
            access_token: token
        }
    });
} catch (e) {
    return {
        statusCode: 502,
        body: JSON.stringify(e)
    }
}

I've verified that the client ID, secret and token are all correct. The token I'm using is the one that is returned by github upon authenticating.

From what i can see in the docs the authorization header type is Token not basic — Linda Lawton - DaImTo, Jun 23 '22 at 21:01
Yup I saw that too, but if you read the description of the endpoint, it says that Basic authentication is required. So it's really confusing. I'll try again with the Token type. — Dominique, Jun 23 '22 at 23:37
GH's implementation of Basic Auth isn't RFC 2617-compliant, as noted by their [doc](https://docs.github.com/en/rest/overview/other-authentication-methods#basic-authentication). `Authorization: token...` isn't Basic Auth at all as defined by the RFC, it's a GH-custom thing. GH docs calling this 'Basic Auth' is a doc bug. — identigral, Jun 26 '22 at 19:59

score 1 · Answer 1 · answered Jun 25 '22 at 07:57

1

Check if, as in here, a token authorization header would work better:

Authorization: `token ${process.env.GITHUB_TOKEN}`,

answered Jun 25 '22 at 07:57

VonC

1,262,500
529
4,410
5,250

I've used this but got the same 403 error. Is this supposed to be the token that github returns when you first authenticate? – Dominique Jun 27 '22 at 09:53
@Dominique It should be your PAT ([Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)) – VonC Jun 27 '22 at 11:34

score 1 · Answer 2 · answered Jun 27 '22 at 18:30

I figured it out. First, I had to modify my axios request to be able to see the full error message. Inside the 'catch' part of a try-catch, I was able to take a look at the value of error.response.data.

The error I was getting was "Cookies must be enabled to use github".

After some Googling, someone with the same error commented that they had to use the host api.github.com. Turns out that I was using github.com. Once I changed this, the error went away.

How to use Github API to revoke OAuth authentication?

2 Answers2