Remove/revoke GitHub OAuth 'access_token'

Question

I am using this GitHub's API to generate an access token for the user (mobile app), using this tutorial:

• https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/#authorizing-oauth-apps

I am using a built-in webpage so the user can log in with username and password. After that, the user receives an access_token that can be used to access GitHub scopes (in my case, profile info).

The response:

{"access_token":"1234token1234", "scope":"user", "token_type":"bearer"}

But when the user logs out of the app, I want to delete/revoke this token. How can I do that?

I only found this answer here:

Revoking OAuth Access Token Results in 404 Not Found

But it is from 2013, and it is not working.

Any ideas on how to solve this? (Sorry for the English guys, Brazilian guy here o/)

Answer 1

For future people seeking the same answer, I contacted GitHub support and they helped me solve my problem.

Deleting/revoking an access_token:

This is handled using the Client ID, and the Client Secret tied to the OAuth application:

curl \
  -X DELETE \
  -H "Accept: application/vnd.github.v3+json" \
  -u CLIENT_ID:CLIENT_SECRET \
  https://api.github.com/applications/CLIENT_ID/token \
  -d '{"access_token":"ACCESS_TOKEN"}'

More detailed explanation: https://docs.github.com/en/rest/apps/oauth-applications#delete-an-app-authorization

Watch the URL suffix for the difference between /grant and /token (see the docs).

The access token will still allow you to fetch public information via the /user request, but any attempts to access restricted or private content will return an authorization error.

Answer 2

<meta-data android:value="key_value" android:name="api_key"></meta-data> https://www.androidauthority.com/how-to-hide-your-api-key-in-android-600583/

Good reference is: https://gist.github.com/DomDerrien/1009626

This is how I'd add it in Java... personally I wouldn't commit my api or auth tokens if to be sending it out