Refresh tokens for GitHub.

[adam-azarchs]

I'm not 100% sure, but as far as I can tell, at the moment the GitHub OAuth2 flow is generating long-lived tokens. It would be nice to have the ability to use short-lived credentials + refresh tokens. That flow appears to already be mandatory for BitBucket; it would be nice to have that as at least an option for GitHub as well.

Short-lived oauth tokens with refresh tokens are more secure than long-lived tokens because if your token gets exfiltrated then it'll expire quickly, and if the attacker uses the refresh token then you should at least be able to detect that quickly. I'm sure long-lived tokens are fine for many situations, but for organizations which are more paranoid, or where the risk of exposure is higher (e.g. situations where developers are logging in from a shared machine) it would be helpful to have the ability to enforce that higher level of security.

Implementation-wise this should be pretty straightforward, since it's already supported for BitBucket and GitLab, though it might require making a separate client secret for GCM in this mode, since it looks from the docs like GitHub's configuration on whether oauth credentials are short-lived or not is on a per-application basis.

[hickford]

Good question. Might access token expiry even have prevented or reduced the 2022 stolen OAuth token attack? FWIW GitHub Apps offer expiring access tokens as an optional feature. Why not offer expiring access tokens for OAuth too?

Interestingly GitLab recently removed non-expiring access tokens. This is breaking change for apps which don't support refresh flow -- users would have to reauthenticate every 2 hours.

[hickford]

@adam-azarchs You might find this comparison of OAuth servers interesting