I'm working on an application that integrates with GitHub and am having issues "logging out" a user that was previously authenticated. When I attempt to revoke the authorization token for the user, I get a 404 Not Found response from the API.
According to the documentation, it looks like I should just be able to make a
DELETE request to
https://api.github.com/authorizations/[authTokenId]. I have tried a couple of different things including:
<li>Ensuring the Authorization header is set with the current auth token</li>
<li>Ensuring the UserAgent header is set with what I use for the rest of the API calls</li>
Nothing seems to result in anything but a 404 though. I have validated that the token is valid and has that the Id matches with what is expected (
id property from the authorization response and from the "check an authorization" response as well). Anyone have another thought on something I could be missing?
Looks like currently you need to include a basic authentication header (including a base64 encoded string of your username/password).
Not ideal for my purposes since I want to revoke the token when a user "logs out" of my application and I don't want to store their username/password. I've sent GitHub support an email about it to see if they have any other ideas.
GitHub support has stated that the above is expected at this juncture, but they are considering updating to allow revoking an authorization using the authorization as the means of authentication.
For now I'm going to require the user to enter their username/password a second time to revoke the authorization.