PyGithub
diff --git a/‎doc/examples/Authentication.rst‎
Lines changed: 30 additions & 0 deletions b/‎doc/examples/Authentication.rst‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎github/AccessToken.py‎
Lines changed: 73 additions & 0 deletions b/‎github/AccessToken.py‎
Lines changed: 73 additions & 0 deletions
diff --git a/‎github/AccessToken.pyi‎
Lines changed: 16 additions & 1 deletion b/‎github/AccessToken.pyi‎
Lines changed: 16 additions & 1 deletion
diff --git a/‎github/ApplicationOAuth.py‎
Lines changed: 65 additions & 11 deletions b/‎github/ApplicationOAuth.py‎
Lines changed: 65 additions & 11 deletions
diff --git a/‎github/ApplicationOAuth.pyi‎
Lines changed: 15 additions & 4 deletions b/‎github/ApplicationOAuth.pyi‎
Lines changed: 15 additions & 4 deletions
@@ -65,3 +65,33 @@ expiration timeout. The access token is refreshed automatically.
     >>> g = Github(auth=auth)
     >>> g.get_repo("user/repo").name
     'repo'
+
+App user authentication
+-----------------------
+
+A Github App can authenticate on behalf of a user. For this, the user has to `generate a user access token for a Github App <https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-with-a-github-app-on-behalf-of-a-user>`__.
+This process completes with a one-time ``code``. Together with the ``client_id`` and ``client_secret`` of the app,
+a Github App user token can be generated once:
+
+    >>> g = Github()
+    >>> app = g.get_oauth_application(client_id, client_secret)
+    >>> token = app.get_access_token(code)
+
+Memorize the ``token.refresh_token``, as only this can be used to create new tokens for this user.
+The ``token.token`` expires 8 hours, and the ``token.refresh_token`` expires 6 months after creation.
+
+A token can be refreshed as follows. This invalidates the old token and old refresh token, and creates
+a new set of token and refresh tokens:
+
+    >>> g = Github()
+    >>> app = g.get_oauth_application(client_id, client_secret)
+    >>> token = app.refresh_access_token(refresh_token)
+
+You can authenticate with Github using this token:
+
+   >>> auth = app.get_app_user_auth(token)
+   >>> g = Github(auth=auth)
+   >>> g.get_user().login
+   'user_login'
+
+The ``auth`` instance will refresh the token automatically when ``auth.token`` is accessed.
@@ -20,6 +20,8 @@
 #                                                                              #
 ################################################################################
 
+from datetime import datetime, timedelta
+
 import github.GithubObject
 
 
@@ -34,6 +36,11 @@ def __repr__(self):
                 "token": f"{self.token[:5]}...",
                 "scope": self.scope,
                 "type": self.type,
+                "expires_in": self.expires_in,
+                "refresh_token": (
+                    f"{self.refresh_token[:5]}..." if self.refresh_token else None
+                ),
+                "refresh_token_expires_in": self.refresh_expires_in,
             }
         )
 
@@ -58,15 +65,81 @@ def scope(self):
         """
         return self._scope.value
 
+    @property
+    def created(self):
+        """
+        :type: datetime
+        """
+        return self._created
+
+    @property
+    def expires_in(self):
+        """
+        :type: Optional[int]
+        """
+        if self._expires_in is not github.GithubObject.NotSet:
+            return self._expires_in.value
+        return None
+
+    @property
+    def expires_at(self):
+        """
+        :type: Optional[datetime]
+        """
+        seconds = self.expires_in
+        if seconds is not None:
+            return self._created + timedelta(seconds=seconds)
+        return None
+
+    @property
+    def refresh_token(self):
+        """
+        :type: Optional[string]
+        """
+        if self._refresh_token is not github.GithubObject.NotSet:
+            return self._refresh_token.value
+        return None
+
+    @property
+    def refresh_expires_in(self):
+        """
+        :type: Optional[int]
+        """
+        if self._refresh_expires_in is not github.GithubObject.NotSet:
+            return self._refresh_expires_in.value
+        return None
+
+    @property
+    def refresh_expires_at(self):
+        """
+        :type: Optional[datetime]
+        """
+        seconds = self.refresh_expires_in
+        if seconds is not None:
+            return self._created + timedelta(seconds=seconds)
+        return None
+
     def _initAttributes(self):
         self._token = github.GithubObject.NotSet
         self._type = github.GithubObject.NotSet
         self._scope = github.GithubObject.NotSet
+        self._expires_in = github.GithubObject.NotSet
+        self._refresh_token = github.GithubObject.NotSet
+        self._refresh_expires_in = github.GithubObject.NotSet
 
     def _useAttributes(self, attributes):
+        self._created = datetime.utcnow()
         if "access_token" in attributes:  # pragma no branch
             self._token = self._makeStringAttribute(attributes["access_token"])
         if "token_type" in attributes:  # pragma no branch
             self._type = self._makeStringAttribute(attributes["token_type"])
         if "scope" in attributes:  # pragma no branch
             self._scope = self._makeStringAttribute(attributes["scope"])
+        if "expires_in" in attributes:  # pragma no branch
+            self._expires_in = self._makeIntAttribute(attributes["expires_in"])
+        if "refresh_token" in attributes:  # pragma no branch
+            self._refresh_token = self._makeStringAttribute(attributes["refresh_token"])
+        if "refresh_token_expires_in" in attributes:  # pragma no branch
+            self._refresh_expires_in = self._makeIntAttribute(
+                attributes["refresh_token_expires_in"]
+            )
@@ -1,5 +1,7 @@
-from typing import Any, Dict
+import datetime
+from typing import Any, Dict, Optional
 
+from github.Auth import AppUserAuth
 from github.GithubObject import NonCompletableGithubObject
 
 class AccessToken(NonCompletableGithubObject):
@@ -12,3 +14,16 @@ class AccessToken(NonCompletableGithubObject):
     def type(self) -> str: ...
     @property
     def scope(self) -> str: ...
+    @property
+    def created(self) -> datetime.datetime: ...
+    @property
+    def expires_in(self) -> Optional[int]: ...
+    @property
+    def expires_at(self) -> Optional[datetime.datetime]: ...
+    @property
+    def refresh_token(self) -> Optional[str]: ...
+    @property
+    def refresh_expires_in(self) -> Optional[int]: ...
+    @property
+    def refresh_expires_at(self) -> Optional[datetime.datetime]: ...
+    def as_app_user_auth(self) -> AppUserAuth: ...
@@ -1,6 +1,7 @@
 ############################ Copyrights and license ###########################
 #                                                                             #
 # Copyright 2019 Rigas Papathanasopoulos <[email protected]>               #
+# Copyright 2023 Enrico Minack <[email protected]>                     #
 #                                                                             #
 # This file is part of PyGithub.                                              #
 # http://pygithub.readthedocs.io/                                             #
@@ -96,21 +97,74 @@ def get_access_token(self, code, state=None):
         if state is not None:
             post_parameters["state"] = state
 
-        headers, data = self._requester.requestJsonAndCheck(
-            "POST",
-            "https://github.com/login/oauth/access_token",
-            headers={
-                "Accept": "application/json",
-                "Content-Type": "application/json",
-                "User-Agent": "PyGithub/Python",
-            },
-            input=post_parameters,
+        headers, data = self._checkError(
+            *self._requester.requestJsonAndCheck(
+                "POST",
+                "https://github.com/login/oauth/access_token",
+                headers={"Accept": "application/json"},
+                input=post_parameters,
+            )
         )
 
         return AccessToken(
             requester=self._requester,
-            # not required, this is a NonCompletableGithubObject
-            headers={},
+            headers=headers,
             attributes=data,
             completed=False,
         )
+
+    def get_app_user_auth(self, token):
+        """
+        :param token: AccessToken
+        """
+        # imported here to avoid circular import
+        from github.Auth import AppUserAuth
+
+        return AppUserAuth(
+            client_id=self.client_id,
+            client_secret=self.client_secret,
+            token=token.token,
+            token_type=token.type,
+            expires_at=token.expires_at,
+            refresh_token=token.refresh_token,
+            refresh_expires_at=token.refresh_expires_at,
+            requester=self._requester,
+        )
+
+    def refresh_access_token(self, refresh_token):
+        """
+        :calls: `POST /login/oauth/access_token <https://docs.github.com/en/developers/apps/identifying-and-authorizing-users-for-github-apps>`_
+        :param refresh_token: string
+        """
+        assert isinstance(refresh_token, str)
+        post_parameters = {
+            "client_id": self.client_id,
+            "client_secret": self.client_secret,
+            "grant_type": "refresh_token",
+            "refresh_token": refresh_token,
+        }
+
+        headers, data = self._checkError(
+            *self._requester.requestJsonAndCheck(
+                "POST",
+                "https://github.com/login/oauth/access_token",
+                headers={"Accept": "application/json"},
+                input=post_parameters,
+            )
+        )
+
+        return AccessToken(
+            requester=self._requester,
+            headers=headers,
+            attributes=data,
+            completed=False,
+        )
+
+    @staticmethod
+    def _checkError(headers, data):
+        if isinstance(data, dict) and "error" in data:
+            if data["error"] == "bad_verification_code":
+                raise github.BadCredentialsException(200, data, headers)
+            raise github.GithubException(200, data, headers)
+
+        return headers, data
@@ -1,8 +1,8 @@
-from typing import Any, Dict, Optional
+from typing import Any, Dict, Optional, Tuple
 
 from github.AccessToken import AccessToken
 from github.GithubObject import NonCompletableGithubObject
-from github.Requester import Requester
+from github.Auth import AppUserAuth
 
 class ApplicationOAuth(NonCompletableGithubObject):
     def __repr__(self) -> str: ...
@@ -13,6 +13,17 @@ class ApplicationOAuth(NonCompletableGithubObject):
     @property
     def client_secret(self) -> str: ...
     def get_login_url(
-        self, redirect_uri: Optional[str], state: Optional[str], login: Optional[str]
+        self,
+        redirect_uri: Optional[str] = ...,
+        state: Optional[str] = ...,
+        login: Optional[str] = ...,
     ) -> str: ...
-    def get_access_token(self, code: str, state: Optional[str]) -> AccessToken: ...
+    def get_access_token(
+        self, code: str, state: Optional[str] = ...
+    ) -> AccessToken: ...
+    def get_app_user_auth(self, token: AccessToken) -> AppUserAuth: ...
+    def refresh_access_token(self, refresh_token: str) -> AccessToken: ...
+    @staticmethod
+    def _checkError(
+        header: Dict[str, Any], data: Optional[Dict[str, Any]]
+    ) -> Tuple[Dict[str, Any], Optional[Dict[str, Any]]]: ...