|
| 1 | +--- |
| 2 | +kind:change |
| 3 | +title:"Recommendation: Reset OAuth authorizations" |
| 4 | +created_at:2014-04-08 |
| 5 | +author_name:pengwynn |
| 6 | +--- |
| 7 | + |
| 8 | +As[announced earlier today][heartbleed-blog-post], we are actively responding |
| 9 | +to the recently-disclosed[Heartbleed security |
| 10 | +vulnerability][heartbleed-blog-post] in OpenSSL. While at this time GitHub has |
| 11 | +no indication that the attack has been used beyond testing the vulnerability, we |
| 12 | +recommend that integrators[reset the API authorizations][api] for their OAuth |
| 13 | +applications. |
| 14 | + |
| 15 | +We've added a[new API method][api] for this exact purpose. Calling this method |
| 16 | +will invalidate the old token and return a new token for applications to store |
| 17 | +and use in its place. This new method provides a safe way to reset user |
| 18 | +authorizations without requiring users to re-authorize the application on the |
| 19 | +web. |
| 20 | + |
| 21 | +Integrators can also use the existing revocation methods to[revoke all |
| 22 | +tokens][] or[revoke a single token][] for their applications. |
| 23 | + |
| 24 | +If you have any questions or feedback, please[get in touch][contact]. |
| 25 | + |
| 26 | +[contact]:https://github.com/contact?form[subject]=API+resetting+tokens |
| 27 | +[api]:/v3/oauth_authorizations/#reset-an-authorization |
| 28 | +[revoke all tokens]:/v3/oauth_authorizations/#revoke-all-authorizations-for-an-application |
| 29 | +[revoke a single token]:/v3/oauth_authorizations/#revoke-an-authorization-for-an-application |
| 30 | +[heartbleed-blog-post]:https://github.com/blog/1818-security-heartbleed-vulnerability |