OAuth flow with Integrations: Access Denied even though I clicked "Approve"


#1

Hello.

I’m in the process of migrating my OAuth app to an Integration.

When I replace the previous client id/secret with those available on the Integration settings (https://github.com/organizations/XXX/settings/integrations/XXX), I’m redirected as expected to a “XXX would like to verify your identity on GitHub” page with a “Approve” button.

When I click on “Approve”, then I’m redirect to the callback_url (User authorization callback URL) with an OAuth error “Access Denied” :disappointed:

Anyone experiencing the same issue?

Below the complete URLs:

  1. GET: https://github.com/login/oauth/authorize?state=qXQVh2Xldx5wEEfvbOlh1IZanNAjfo62&client_id=Iv1.3e22c8b26fXXXXXX&redirect_uri=http%3A%2F%2FYYYY

  2. POST: https://github.com/login/oauth/authorize

  3. GET: http://YYYY?error=access_denied&error_description=The+user+has+denied+your+application+access.&error_uri=https%3A%2F%2Fdeveloper.github.com%2Fv3%2Foauth%2F%23access-denied&state=qXQVh2Xldx5wEEfvbOlh1IZanNAjfo62

@github-staff my integration ID is 2179.


#2

Hi – thanks for reporting this @bdelbasso, I’m also experiencing this issue.


#3

i’m experiencing this too.


#4

Same here!


#5

I’m also experiencing this through Firebase Authentication which uses the same endpoints as the normal OAuth app authentication.


#6

Ditto 2225 (which is using Elixir-OAuth2).


#7

Any news on this @keavy @sbarnekow @jmilas?


#8

We are hitting this blocking issue as well.


#9

Sorry about that folks, we just shipped a fix for a bug in this flow. So you can try again now.


#10

Thanks for the fix,

I’m getting further now: after user authorizes the request via the github UI, we are getting redirected back to our callback url with a code and (valid) state.

However, when I try and POST to https://github.com/login/oauth/access_token to exchange the code for an access token, I am getting a 404. The only difference between the standard (working) OAuth flow here is the change to use the clientId/Secret from the Integration, along with setting the “Accept: application/vnd.github.machine-man-preview+json” header.

Is anyone else able to successfully use an Integration’s OAuth flow?

Thanks.


#11

Is anyone else able to successfully use an Integration’s OAuth flow?

Nope. Same problem here (404 when fetching the access_token, the only difference being the credentials).


#12

The approval of the oauth request works now but indeed you get a 404 when you want to retreive the access tokens


#13

@keavy any news on a fix for the 404 error we are hitting?


#14

waiting on the 404 fix as well


#15

Aaaand that 404 is resolved now, thanks for your patience!


#16

Thanks @keavy! How can a user revoke the access token granted via to the Integration via OAuth? For some reason my dev integration doesn’t show under my account’s “Authorized Applications”.


#17

It’s working now. Thanks @keavy


#18

Woohoo! Thanks a lot @keavy!


#20