GitHub OAuth Client ID
Service Name: GitHub
Service Description: GitHub is a web-based platform for version control and collaboration that enables developers to store, manage, and track changes to their code repositories. OAuth Client IDs are used to authenticate applications that integrate with GitHub's API.
Service Address: https://github.com
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the organization level with GitHub Enterprise or through GitHub Apps settings.
Secret Access Scope: Grants an application the ability to authenticate with GitHub's API on behalf of users, with access determined by the OAuth scopes requested during authorization.
Secret Revokement URL: https://github.com/settings/applications
Secret Example: a1b2c3d4e5f6g7h8i9j0
Suspicious Activity Investigation Instructions:
- Review the OAuth application settings in GitHub to check authorized scopes and recent access.
- Check GitHub audit logs for unusual authentication patterns or access from unfamiliar locations.
- Verify if there are any unexpected OAuth authorizations in user accounts.
- Monitor repository activity for unauthorized commits or access.
- Review webhook configurations for any unauthorized data exfiltration.
Mitigation Instructions:
- Navigate to GitHub Settings > Developer settings > OAuth Apps.
- Locate the compromised OAuth application and click on it.
- Click "Delete application" at the bottom of the page and confirm deletion.
-
Alternatively, regenerate the client secret without deleting the application.
-
Review all repositories and organization settings for any unauthorized changes.
- Consider enabling two-factor authentication for all organization members.
- Implement IP allow lists for your GitHub organization if using GitHub Enterprise.
- Review and potentially revoke user access tokens that may have been generated using the compromised client ID.