Skip to content

Commit 846d374

Browse files
authored
OAuth 2.0 Device Authorization Flow is opt-in
1 parent 43d39a8 commit 846d374

File tree

7 files changed

+26
-7
lines changed

7 files changed

+26
-7
lines changed
Loading

content/developers/apps/building-github-apps/creating-a-github-app.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,9 @@ topics:
5252
1. By default, to improve your app's security, your app will use expiring user authorization tokens. To opt-out of using expiring user tokens, you must deselect "Expire user authorization tokens". To learn more about setting up a refresh token flow and the benefits of expiring user tokens, see "[Refreshing user-to-server access tokens](/apps/building-github-apps/refreshing-user-to-server-access-tokens/)."
5353
![Option to opt-in to expiring user tokens during GitHub Apps setup](/assets/images/github-apps/expire-user-tokens-selection.png)
5454
1. If your app authorizes users using the OAuth flow, you can select **Request user authorization (OAuth) during installation** to allow people to authorize the app when they install it, saving a step. If you select this option, the "Setup URL" becomes unavailable and users will be redirected to your "User authorization callback URL" after installing the app. See "[Authorizing users during installation](/apps/installing-github-apps/#authorizing-users-during-installation)" for more information.
55-
![Request user authorization during installation](/assets/images/github-apps/github_apps_request_auth_upon_install.png)
55+
![Request user authorization during installation](/assets/images/github-apps/github_apps_request_auth_upon_install.png){% if device-flow-is-opt-in %}
56+
1. If your GitHub App will use the device flow to identify and authorize users, click **Enable Device Flow**. For more information about the device flow, see "[Authorizing OAuth Apps](/developers/apps/building-oauth-apps/authorizing-oauth-apps#device-flow)."
57+
![Screenshot showing field for enabling device flow](/assets/images/oauth-apps/enable-device-flow.png){% endif %}
5658
1. If additional setup is required after installation, add a "Setup URL" to redirect users to after they install your app.
5759
![Field for the setup URL of your GitHub App ](/assets/images/github-apps/github_apps_setup_url.png)
5860

content/developers/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -124,9 +124,9 @@ curl -H "Authorization: token OAUTH-TOKEN" {% data variables.product.api_url_pre
124124

125125
{% endnote %}
126126

127-
The device flow allows you to authorize users for a headless app, such as a CLI tool or Git credential manager.
127+
The device flow allows you to authorize users for a headless app, such as a CLI tool or Git credential manager.
128128

129-
For more information about authorizing users using the device flow, see "[Authorizing OAuth Apps](/developers/apps/authorizing-oauth-apps#device-flow)".
129+
{% if device-flow-is-opt-in %}Before you can use the device flow to identify and authorize users, you must first enable it in your app's settings. For more information on enabling device flow, see "[Modifying a GitHub App](/developers/apps/managing-github-apps/modifying-a-github-app)." {% endif %}For more information about authorizing users using the device flow, see "[Authorizing OAuth Apps](/developers/apps/authorizing-oauth-apps#device-flow)."
130130

131131
## Check which installation's resources a user can access
132132

content/developers/apps/building-oauth-apps/authorizing-oauth-apps.md

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -125,6 +125,12 @@ curl -H "Authorization: token OAUTH-TOKEN" {% data variables.product.api_url_pre
125125

126126
The device flow allows you to authorize users for a headless app, such as a CLI tool or Git credential manager.
127127

128+
{% if device-flow-is-opt-in %}
129+
130+
Before you can use the device flow to authorize and identify users, you must first enable it in your app's settings. For more information about enabling the device flow in your app, see "[Modifying an OAuth App](/developers/apps/managing-oauth-apps/modifying-an-oauth-app)" for OAuth Apps and "[Modifying a GitHub App](/developers/apps/managing-github-apps/modifying-a-github-app)" for GitHub Apps.
131+
132+
{% endif %}
133+
128134
### Overview of the device flow
129135

130136
1. Your app requests device and user verification codes and gets the authorization URL where the user will enter the user verification code.
@@ -254,10 +260,12 @@ If you make more than one access token request (`POST {% data variables.product.
254260
| `unsupported_grant_type` | The grant type must be `urn:ietf:params:oauth:grant-type:device_code` and included as an input parameter when you poll the OAuth token request `POST {% data variables.product.oauth_host_code %}/login/oauth/access_token`.
255261
| `incorrect_client_credentials` | For the device flow, you must pass your app's client ID, which you can find on your app settings page. The `client_secret` is not needed for the device flow.
256262
| `incorrect_device_code` | The device_code provided is not valid.
257-
| `access_denied` | When a user clicks cancel during the authorization process, you'll receive a `access_denied` error and the user won't be able to use the verification code again.
263+
| `access_denied` | When a user clicks cancel during the authorization process, you'll receive a `access_denied` error and the user won't be able to use the verification code again.{% if device-flow-is-opt-in %}
264+
| `device_flow_disabled` | Device flow has not been enabled in the app's settings. For more information, see "[Device flow](#device-flow)."{% endif %}
258265

259266
For more information, see the "[OAuth 2.0 Device Authorization Grant](https://tools.ietf.org/html/rfc8628#section-3.5)."
260267

268+
261269
## Non-Web application flow
262270

263271
Non-web authentication is available for limited situations like testing. If you need to, you can use [Basic Authentication](/rest/overview/other-authentication-methods#basic-authentication) to create a personal access token using your [Personal access tokens settings page](/articles/creating-an-access-token-for-command-line-use). This technique enables the user to revoke access at any time.

content/developers/apps/building-oauth-apps/creating-an-oauth-app.md

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,8 @@ topics:
5353
**Note:** OAuth Apps cannot have multiple callback URLs, unlike {% data variables.product.prodname_github_apps %}.
5454

5555
{% endnote %}
56-
{% endif %}
57-
10. Click **Register application**.
56+
{% endif %}{% if device-flow-is-opt-in %}
57+
1. If your OAuth App will use the device flow to identify and authorize users, click **Enable Device Flow**. For more information about the device flow, see "[Authorizing OAuth Apps](/developers/apps/building-oauth-apps/authorizing-oauth-apps#device-flow)."
58+
![Screenshot showing field for enabling device flow](/assets/images/oauth-apps/enable-device-flow.png){% endif %}
59+
2. Click **Register application**.
5860
![Button to register an application](/assets/images/oauth-apps/oauth_apps_register_application.png)

content/developers/apps/managing-github-apps/modifying-a-github-app.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,8 @@ topics:
1818
{% data reusables.user-settings.github_apps %}
1919
{% data reusables.user-settings.modify_github_app %}
2020
5. In "Basic information", modify the GitHub App information that you'd like to change.
21-
![Basic information section for your GitHub App](/assets/images/github-apps/github_apps_basic_information.png)
21+
![Basic information section for your GitHub App](/assets/images/github-apps/github_apps_basic_information.png){% if device-flow-is-opt-in %}
22+
1. If your GitHub App will use the device flow to identify and authorize users, click **Enable device flow**. For more information about the device flow, see "[Authorizing OAuth Apps](/developers/apps/building-oauth-apps/authorizing-oauth-apps#device-flow)."
23+
![Screenshot showing field for enabling device flow](/assets/images/oauth-apps/enable-device-flow.png){% endif %}
2224
6. Click **Save changes**.
2325
![Button to save changes for your GitHub App](/assets/images/github-apps/github_apps_save_changes.png)
Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
# docs-content 6307. OAuth device auth flow is opt in.
2+
versions:
3+
fpt: '*'
4+
ghec: '*'
5+
ghae: 'issue-6307'

0 commit comments

Comments
 (0)