DEV Community

Rodion Gorkovenko
Rodion Gorkovenko

Posted on

GitHub deprecates access token in URL!

Just recently I posted brief comparison about using authentication with Facebook / Gmail / Github on web-sites.

I told that FB annoys me with often breaking updates to API, while others do not. Well, recently GitHub made some update too!

Luckily it is not complicated change so I'll post the example of quick fix and couple of links to instructions - just in case someone use it and missed notifications. Example is in PHP but you can easily understand and convert it to anything including curl :)

How it worked before

For "Login via GitHub" we use link or button on our web-page, which point to the following url (with some parameters)

https://github.com/login/oauth/authorize

This leads user to open GitHub login form (if he/she isn't already signed in) and then returns back to our web-site, providing us with authentication TOKEN.

This token is then used to fetch various information from API. In the simplest form we shall call /api/user endpoint to get public github ID of the user who signed in (and sign him/her into our site with this ID).

And here is the change

Old-style passed the TOKEN as query parameter, e.g. /api/user?token=... - but now it is deprecated.

How it is now? Get to code!

Nowadays Github API methods want us to provide TOKEN in the request headers instead. Not a big difference, luckily:

Old code looked like this

    function github_fetch_user_data($token) { // old style

        // url includes token:
        'https://api.github.com/user?access_token=' . $token

        // suppose we already have some additional options to API request
        $options  = array('http' => array('some_option'=> 'Some_Value'));

        // structure to pass additional features to HTTP GET request
        $context  = stream_context_create($options);

        // do HTTP GET request at last
        return file_get_contents($url, false, $context);
    }

Now it is changed to provide Authorization: token ... header line and remove query parameter:

    function github_fetch_user_data($token) {

        $url = 'https://api.github.com/user';

        // include 'header' field in the options
        $options  = array(
            'http' => array('some_option'=> 'Some_Value',
            'header' => "Authorization: token $token"));

        $context  = stream_context_create($options);

        return file_get_contents($url, false, $context);
    }

_As one may see from the links below, similar deprecation exists for other methods of API which passed authentication token in query parameters or as a part of "path" of the url.

Links

GitHub deprecation of passwords and tokens in urls, since November 2019

GitHub "Webflow" authorization API

Top comments (0)