When performing authorization with the GitHub OAuth API, users are redirected back to a certain application with a temporary code parameter
The temporary code parameter can be exchanged for a access token, sending a POST request to https://github.com/login/oauth/access_token as mentioned in the API reference
The response for that endpoint, contains the access token as well as the scopes in it, with that said, consider the following flow:
- User authorizes GitHub OAuth with basis scopes
- GitHub OAuth returns temporary code
- Temporary code is retrieved for an access token
- (Incremental authorization case) The User wants to access a feature from my product that requires repository scopes, then the application will need to signal to the user that authorization needs to be performed again with the previously granted scopes and the additional ones
Based on the last step, in order to signal to the user that authorization is required again, would be required to perform a diff between the scopes that were already granted and contained in the access token + the ones that are needed now
Are there other API routes that could be accessed to get more info regarding the access token for that user? As another reference, the OAuth spec refers to that as "Token Introspection Endpoint": https://datatracker.ietf.org/doc/html/rfc7662
In GitHub's OAuth API, there is no built-in Token Introspection Endpoint as specified in RFC 7662 to directly fetch details about an access token.
However, you can gather some information by hitting the https://api.github.com/user endpoint. When you make this API call with the access token in the
Authorizationheader, the response will include anX-OAuth-Scopesheader. This header contains a comma-separated list of scopes that the token has been granted.To find the difference between granted scopes and required scopes for your application, you'll have to do a manual comparison (diff) between the two sets.