GraphQL rate limits documentation mentions an unavailable authentication method

[Fs00]

Code of Conduct

• I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/graphql/overview/rate-limits-and-node-limits-for-the-graphql-api

What part(s) of the article would you like to see updated?

The article includes the following sentence when detailing primary rate limits for each authentication method:

For OAuth apps: 5,000 points per hour, or 10,000 points per hour if the app is owned by a GitHub Enterprise Cloud organization. This only applies when the app uses their client ID and client secret to request public data.

However, authentication via client ID + client secret for OAuth apps appears not to be available for the GraphQL API, as a user pointed out in octokit/auth-oauth-app.js#46. I also got the same result when trying via curl.

If the quoted sentence refers to the aforementioned client ID + client secret basic authentication mechanism (which, to my knowledge, is only available for the REST API), it probably shouldn't be there.
If that's not the case, it's unclear which authentication method it refers to.

[nguyenalex836]

@Fs00 Thank you for opening an issue! I'll get this triaged for review ✨

[github-actions]

Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert 👀

[nguyenalex836]

@Fs00 Thank you for your patience while our team reviewed! ✨ After reviewing your issue, our engineering team provided the following response -

I took a look at our documentation and I don’t see any exclusions for OAuth for GraphQL: https://thehub.github.com/epd/engineering/dev-practicals/secure-coding/secure-coding-general/auth-on-api/#enforcing-oauth-tok[…]s-on-the-graphql-api which means it should work for both REST API and GraphQL.
However, organization needs to approve each OAuth app https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/about-oauth-app-access-restrictions#about-oau[…]strictions unless those restrictions were disabled manually:
When you create a new organization, OAuth app access restrictions are enabled by default. Organization owners can disable OAuth app access restrictions at any time.
Could this be the case for customers mentioned that they cannot authorize their apps?

Please let us know if you have any thoughts regarding our engineering team's response, especially regarding the statement "When you create a new organization, OAuth app access restrictions are enabled by default." Thank you! 💛

[Fs00]

Hello @nguyenalex836.
I appreciate your efforts, however I don't think that the above response answers my question. I'm aware of the existence of OAuth app restrictions for organizations, but they don't seem to be at play here: the query in the Octokit issue I mentioned earlier does not fetch any organization data, it just tries to access a public user profile's data.

My question is all about the (in-)ability to authenticate to the GraphQL API via OAuth client ID + client secret without any sort of token or user authentication, as it can be done with the REST API.
As far as I know, GH docs don't clearly state if this is possible or not and the only "official" piece of information we have (the paragraph I quoted in the issue) appears to conflict with what can be experienced by users.

[AlenaSviridenko]

Hi @Fs00,
thank you for your report! I took a look on behalf of engineering team, and yes, you pointed it out correctly, for GraphQL requests basic auth with OAuth client ID and client secret only is not enough. I apologize for the initial confusion, we will work on adjusting docs to make it clear.

[Fs00]

Thank you for the clarification @AlenaSviridenko!

[nguyenalex836]

@AlenaSviridenko Thank you for providing that clarification! 💛
@Fs00 Thank you as well for continuing to advocate for fixing the doc's discrepancy! ✨

I took a look on behalf of engineering team, and yes, you pointed it out correctly, for GraphQL requests basic auth with OAuth client ID and client secret only is not enough.

I've added the help wanted label to this issue so that anyone in the community may open a PR to update this doc