diff --git a/Dockerfile b/Dockerfile index d3a34d67428f..8db3546ebf73 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,7 @@ # --------------------------------------------------------------- # To update the sha: # https://github.com/github/gh-base-image/pkgs/container/gh-base-image%2Fgh-base-noble -FROM ghcr.io/github/gh-base-image/gh-base-noble:20250711-151843-g9ff1d29c5 AS base +FROM ghcr.io/github/gh-base-image/gh-base-noble:20250711-165924-g6f92253c7 AS base # Install curl for Node install and determining the early access branch # Install git for cloning docs-early-access & translations repos diff --git a/content/actions/concepts/runners/about-runner-scale-sets.md b/content/actions/concepts/runners/about-runner-scale-sets.md new file mode 100644 index 000000000000..5af04b7443c7 --- /dev/null +++ b/content/actions/concepts/runners/about-runner-scale-sets.md @@ -0,0 +1,32 @@ +--- +title: About runner scale sets +shortTitle: Runner scale sets +intro: 'Learn about what a runner scale set is and how they can interact with the {% data variables.product.prodname_actions_runner_controller %}.' +layout: inline +versions: + fpt: '*' + ghec: '*' + ghes: '*' +type: overview +topics: + - Actions Runner Controller +--- + +[Legal notice](#legal-notice) + +## About runner scale sets + +A runner scale set is a group of homogeneous runners that can be assigned jobs from {% data variables.product.prodname_actions %}. The number of active runners owned by a runner scale set can be controlled by auto-scaling runner solutions such as {% data variables.product.prodname_actions_runner_controller %} (ARC). + +You can use runner groups to manage runner scale sets. Similar to self-hosted runners, you can add runner scale sets to existing runner groups. However, runner scale sets can belong to only one runner group at a time and can only have one label assigned to them. + +To assign jobs to a runner scale set, you must configure your workflow to reference the runner scale set’s name. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/using-actions-runner-controller-runners-in-a-workflow). + +## Legal notice + +{% data reusables.actions.actions-runner-controller-legal-notice %} + +## Next steps + +* For more information about the {% data variables.product.prodname_actions_runner_controller %} as a concept, see [AUTOTITLE](/actions/concepts/runners/about-actions-runner-controller). +* To learn about runner groups, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups). diff --git a/content/actions/concepts/runners/index.md b/content/actions/concepts/runners/index.md index 69259122a96b..31e9c4dc8b2e 100644 --- a/content/actions/concepts/runners/index.md +++ b/content/actions/concepts/runners/index.md @@ -12,6 +12,7 @@ children: - /about-private-networking-with-github-hosted-runners - /about-self-hosted-runners - /communicating-with-self-hosted-runners + - /about-runner-scale-sets - /about-actions-runner-controller - /about-support-for-actions-runner-controller --- diff --git a/content/actions/how-tos/hosting-your-own-runners/index.md b/content/actions/how-tos/hosting-your-own-runners/index.md index 0c553d87173b..b95201b340bd 100644 --- a/content/actions/how-tos/hosting-your-own-runners/index.md +++ b/content/actions/how-tos/hosting-your-own-runners/index.md @@ -18,7 +18,6 @@ versions: ghec: '*' children: - /managing-self-hosted-runners - - /managing-self-hosted-runners-with-actions-runner-controller --- {% data reusables.actions.enterprise-github-hosted-runners %} diff --git a/content/actions/how-tos/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api.md b/content/actions/tutorials/actions-runner-controller/authenticating-arc-to-the-github-api.md similarity index 95% rename from content/actions/how-tos/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api.md rename to content/actions/tutorials/actions-runner-controller/authenticating-arc-to-the-github-api.md index 27a91d24f251..43eeb8dc3fcb 100644 --- a/content/actions/how-tos/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api.md +++ b/content/actions/tutorials/actions-runner-controller/authenticating-arc-to-the-github-api.md @@ -1,7 +1,7 @@ --- -title: Authenticating to the GitHub API -shortTitle: Authenticating -intro: 'Learn how to authenticate to the {% data variables.product.company_short %} API to use {% data variables.product.prodname_actions_runner_controller %} with {% data variables.product.github %}.' +title: Authenticating ARC to the GitHub API +shortTitle: Authenticating to the API +intro: 'Learn how to authenticate {% data variables.product.prodname_actions_runner_controller %} to the {% data variables.product.company_short %} API.' versions: fpt: '*' ghec: '*' @@ -12,12 +12,11 @@ topics: defaultPlatform: linux redirect_from: - /actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api + - /actions/how-tos/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api#deploying-using-personal-access-token-classic-authentication --- [Legal notice](#legal-notice) -## Overview - You can authenticate {% data variables.product.prodname_actions_runner_controller %} (ARC) to the {% data variables.product.prodname_dotcom %} API by using a {% data variables.product.prodname_github_app %} or by using a {% data variables.product.pat_v1 %}. > [!NOTE] diff --git a/content/actions/how-tos/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller.md b/content/actions/tutorials/actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller.md similarity index 97% rename from content/actions/how-tos/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller.md rename to content/actions/tutorials/actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller.md index 032391003d51..bab7c04c57cd 100644 --- a/content/actions/how-tos/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller.md +++ b/content/actions/tutorials/actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller.md @@ -12,18 +12,11 @@ topics: defaultPlatform: linux redirect_from: - /actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller + - /actions/how-tos/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller --- [Legal notice](#legal-notice) -## About runner scale sets - -Runner scale sets is a group of homogeneous runners that can be assigned jobs from {% data variables.product.prodname_actions %}. The number of active runners owned by a runner scale set can be controlled by auto-scaling runner solutions such as {% data variables.product.prodname_actions_runner_controller %} (ARC). - -You can use runner groups to manage runner scale sets. Similar to self-hosted runners, you can add runner scale sets to existing runner groups. However, runner scale sets can belong to only one runner group at a time and can only have one label assigned to them. For more information on runner groups, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups). - -To assign jobs to a runner scale set, you must configure your workflow to reference the runner scale set's name. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/using-actions-runner-controller-runners-in-a-workflow). - ## Deploying a runner scale set To deploy a runner scale set, you must have ARC up and running. For more information, see [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller). diff --git a/content/actions/how-tos/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/index.md b/content/actions/tutorials/actions-runner-controller/index.md similarity index 69% rename from content/actions/how-tos/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/index.md rename to content/actions/tutorials/actions-runner-controller/index.md index 4e728969b4ac..d8530c3a3292 100644 --- a/content/actions/how-tos/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/index.md +++ b/content/actions/tutorials/actions-runner-controller/index.md @@ -1,5 +1,5 @@ --- -title: Managing self-hosted runners with Actions Runner Controller +title: Actions Runner Controller shortTitle: Actions Runner Controller intro: You can host your own runners to run workflows in a highly customizable environment. versions: @@ -9,12 +9,13 @@ versions: topics: - Actions Runner Controller children: - - /authenticating-to-the-github-api + - /quickstart-for-actions-runner-controller + - /authenticating-arc-to-the-github-api - /deploying-runner-scale-sets-with-actions-runner-controller - /using-actions-runner-controller-runners-in-a-workflow - /troubleshooting-actions-runner-controller-errors redirect_from: - /actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller + - /actions/how-tos/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller --- -{% data reusables.actions.enterprise-github-hosted-runners %} diff --git a/content/actions/tutorials/quickstart-for-actions-runner-controller.md b/content/actions/tutorials/actions-runner-controller/quickstart-for-actions-runner-controller.md similarity index 99% rename from content/actions/tutorials/quickstart-for-actions-runner-controller.md rename to content/actions/tutorials/actions-runner-controller/quickstart-for-actions-runner-controller.md index b7a42996897a..d5f1b7b38d62 100644 --- a/content/actions/tutorials/quickstart-for-actions-runner-controller.md +++ b/content/actions/tutorials/actions-runner-controller/quickstart-for-actions-runner-controller.md @@ -1,6 +1,6 @@ --- title: Quickstart for Actions Runner Controller -shortTitle: Actions Runner Controller +shortTitle: Quickstart intro: 'In this tutorial, you''ll try out the basics of {% data variables.product.prodname_actions_runner_controller %}.' versions: fpt: '*' @@ -12,6 +12,7 @@ topics: defaultPlatform: linux redirect_from: - /actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller + - /actions/tutorials/quickstart-for-actions-runner-controller --- [Legal notice](#legal-notice) diff --git a/content/actions/how-tos/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors.md b/content/actions/tutorials/actions-runner-controller/troubleshooting-actions-runner-controller-errors.md similarity index 98% rename from content/actions/how-tos/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors.md rename to content/actions/tutorials/actions-runner-controller/troubleshooting-actions-runner-controller-errors.md index 3d7a08ce64da..870a8d9a953f 100644 --- a/content/actions/how-tos/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors.md +++ b/content/actions/tutorials/actions-runner-controller/troubleshooting-actions-runner-controller-errors.md @@ -11,6 +11,7 @@ topics: - Actions Runner Controller redirect_from: - /actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors + - /actions/how-tos/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors --- [Legal notice](#legal-notice) diff --git a/content/actions/how-tos/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/using-actions-runner-controller-runners-in-a-workflow.md b/content/actions/tutorials/actions-runner-controller/using-actions-runner-controller-runners-in-a-workflow.md similarity index 92% rename from content/actions/how-tos/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/using-actions-runner-controller-runners-in-a-workflow.md rename to content/actions/tutorials/actions-runner-controller/using-actions-runner-controller-runners-in-a-workflow.md index 7171004cfb14..c884099800b1 100644 --- a/content/actions/how-tos/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/using-actions-runner-controller-runners-in-a-workflow.md +++ b/content/actions/tutorials/actions-runner-controller/using-actions-runner-controller-runners-in-a-workflow.md @@ -12,11 +12,12 @@ topics: defaultPlatform: linux redirect_from: - /actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/using-actions-runner-controller-runners-in-a-workflow + - /actions/how-tos/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/using-actions-runner-controller-runners-in-a-workflow --- [Legal notice](#legal-notice) -## About using ARC runners in a workflow file +## Using ARC runners in a workflow file To assign jobs to run on a runner scale set, you can specify the name of the scale set as the value for the `runs-on` key in your {% data variables.product.prodname_actions %} workflow file. diff --git a/content/actions/tutorials/index.md b/content/actions/tutorials/index.md index 9fd47be92f36..115b94039bca 100644 --- a/content/actions/tutorials/index.md +++ b/content/actions/tutorials/index.md @@ -8,12 +8,12 @@ versions: ghec: '*' children: - /migrating-to-github-actions + - /actions-runner-controller - /creating-an-example-workflow - /creating-a-docker-container-action - /creating-a-javascript-action - /creating-a-composite-action - /store-and-share-data - - /quickstart-for-actions-runner-controller - /deploying-with-github-actions - /communicating-with-docker-service-containers redirect_from: diff --git a/content/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app.md b/content/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app.md index 6731f0686214..b097e31997c6 100644 --- a/content/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app.md +++ b/content/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app.md @@ -42,6 +42,8 @@ If your app runs in the browser, you should use the web application flow to gene `client_id` | `string` | Required | The client ID for your {% data variables.product.prodname_github_app %}. The client ID is different from the app ID. You can find the client ID on the settings page for your app. For more information about navigating to the settings page for your {% data variables.product.prodname_github_app %}, see [AUTOTITLE](/apps/maintaining-github-apps/modifying-a-github-app-registration#navigating-to-your-github-app-settings). `redirect_uri` | `string` | Strongly recommended | The URL in your application where users will be sent after authorization. This must be an exact match to one of the URLs you provided as a "Callback URL" in your app's settings and can't contain any additional parameters. `state` | `string` | Strongly recommended | When specified, the value should contain a random string to protect against forgery attacks, and it can also contain any other arbitrary data. +{% ifversion pkce_support %} `code_challenge` | `string` | Strongly recommended | Used to secure the authentication flow with PKCE (Proof Key for Code Exchange). Required if `code_challenge_method` is included. Must be a 43 character SHA-256 hash of a random string generated by the client. See the [PKCE RFC](https://datatracker.ietf.org/doc/html/rfc7636) for more details about this security extension. + `code_challenge_method` | `string` | Strongly recommended | Used to secure the authentication flow with PKCE (Proof Key for Code Exchange). Required if `code_challenge` is included. Must be `S256` - the `plain` code challenge method is not supported.{% endif %} `login` | `string` | Optional | When specified, the web application flow will prompt users with a specific account they can use for signing in and authorizing your app. `allow_signup` | `boolean` | Optional | Whether unauthenticated users will be offered an option to sign up for {% data variables.product.prodname_dotcom %} during the OAuth flow. The default is `true`. Use `false` when a policy prohibits signups. {% ifversion oauth_account_picker %} `prompt` | `string` | Optional | Forces the account picker to appear if set to `select_account`. The account picker will also appear if the application has a non-HTTP redirect URI or if the user has multiple accounts signed in. {% endif %} diff --git a/content/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps.md b/content/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps.md index 048194b01524..e1ea748e6214 100644 --- a/content/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps.md +++ b/content/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps.md @@ -64,12 +64,16 @@ This endpoint takes the following input parameters. | `login` | `string` | Optional| Suggests a specific account to use for signing in and authorizing the app. | | `scope`|`string` |Context dependent| A space-delimited list of [scopes](/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps). If not provided, `scope` defaults to an empty list for users that have not authorized any scopes for the application. For users who have authorized scopes for the application, the user won't be shown the OAuth authorization page with the list of scopes. Instead, this step of the flow will automatically complete with the set of scopes the user has authorized for the application. For example, if a user has already performed the web flow twice and has authorized one token with `user` scope and another token with `repo` scope, a third web flow that does not provide a `scope` will receive a token with `user` and `repo` scope. | | `state` | `string` |Strongly recommended| {% data reusables.apps.state_description %} | +| {% ifversion pkce_support %} | +| `code_challenge` | `string` | Strongly recommended | Used to secure the authentication flow with PKCE (Proof Key for Code Exchange). Required if `code_challenge_method` is included. Must be a 43 character SHA-256 hash of a random string generated by the client. See the [PKCE RFC](https://datatracker.ietf.org/doc/html/rfc7636) for more details about this security extension. +| `code_challenge_method` | `string` | Strongly recommended | Used to secure the authentication flow with PKCE (Proof Key for Code Exchange). Required if `code_challenge` is included. Must be `S256` - the `plain` code challenge method is not supported. +| {% endif %} | | `allow_signup`|`string` | Optional | Whether or not unauthenticated users will be offered an option to sign up for GitHub during the OAuth flow. The default is `true`. Use `false` when a policy prohibits signups. | | {% ifversion oauth_account_picker %} | | `prompt` | `string` | Optional | Forces the account picker to appear if set to `select_account`. The account picker will also appear if the application has a non-HTTP redirect URI or if the user has multiple accounts signed in. | | {% endif %} | -The PKCE (Proof Key for Code Exchange) parameters `code_challenge` and `code_challenge_method` are not supported at this time. CORS pre-flight requests (OPTIONS) are not supported at this time. +{% ifversion not pkce_support %}The PKCE (Proof Key for Code Exchange) parameters `code_challenge` and `code_challenge_method` are not supported at this time. {% endif %}CORS pre-flight requests (OPTIONS) are not supported at this time. ### 2. Users are redirected back to your site by GitHub @@ -87,6 +91,9 @@ Parameter name | Type | Required?| Description `client_secret` | `string` | Required | The client secret you received from {% data variables.product.github %} for your {% data variables.product.prodname_oauth_app %}. `code` | `string` | Required | The code you received as a response to Step 1. `redirect_uri` | `string` | Strongly recommended | The URL in your application where users are sent after authorization. We can use this to match against the URI originally provided when the `code` was issued, to prevent attacks against your service. +| {% ifversion pkce_support %} | +`code_verifier` | `string` | Strongly recommended | Used to secure the authentication flow with PKCE (Proof Key for Code Exchange). Required if `code_challenge` was sent during the user authorization. Must be the original value used to generate the `code_challenge` in the authorization request. This can be stored in a cookie alongside the `state` parameter or in a session variable during authentication, depending on your application architecture. +| {% endif %} | By default, the response takes the following form: diff --git a/content/copilot/tutorials/enhancing-copilot-agent-mode-with-mcp.md b/content/copilot/tutorials/enhancing-copilot-agent-mode-with-mcp.md index e799618fca39..993a3f81e521 100644 --- a/content/copilot/tutorials/enhancing-copilot-agent-mode-with-mcp.md +++ b/content/copilot/tutorials/enhancing-copilot-agent-mode-with-mcp.md @@ -189,7 +189,10 @@ For example, {% data variables.product.prodname_copilot_short %} will add commen Now you can review the pull request and make any adjustments. Once you have verified that the changes are valid, you can merge as with any other pull request. +## Hands-on practice + +Try the [Integrate MCP with {% data variables.product.prodname_copilot %}](https://github.com/skills/integrate-mcp-with-copilot/) Skills exercise for practical experience integrating MCP with {% data variables.product.prodname_copilot %}. + ## Further reading -* **Hands-on practice**: Try the [Integrate MCP with Copilot](https://github.com/skills/integrate-mcp-with-copilot/) Skills course for practical experience with MCP and agent mode. * **MCP fundamentals**: For more information about setting up and configuring MCP servers, see [AUTOTITLE](/copilot/customizing-copilot/using-model-context-protocol/extending-copilot-chat-with-mcp). diff --git a/content/pages/getting-started-with-github-pages/changing-the-visibility-of-your-github-pages-site.md b/content/pages/getting-started-with-github-pages/changing-the-visibility-of-your-github-pages-site.md index f256fe9fa51d..07946dd8f855 100644 --- a/content/pages/getting-started-with-github-pages/changing-the-visibility-of-your-github-pages-site.md +++ b/content/pages/getting-started-with-github-pages/changing-the-visibility-of-your-github-pages-site.md @@ -15,7 +15,7 @@ With access control for {% data variables.product.prodname_pages %}, you can res {% data reusables.pages.privately-publish-ghec-only %} -If your enterprise uses {% data variables.product.prodname_emus %}, access control is not available, and all {% data variables.product.prodname_pages %} sites are only accessible to other enterprise members. For more information about {% data variables.product.prodname_emus %}, see [AUTOTITLE](/pages/getting-started-with-github-pages/github-pages-limits#limits-for-enterprise-managed-users). +If your enterprise uses {% data variables.product.prodname_emus %}, {% data variables.product.prodname_pages %} sites can only be published as private, and all {% data variables.product.prodname_pages %} sites are only accessible to other enterprise members. For more information about {% data variables.product.prodname_emus %}, see [AUTOTITLE](/pages/getting-started-with-github-pages/github-pages-limits#limits-for-enterprise-managed-users). If your organization uses {% data variables.product.prodname_ghe_cloud %} without {% data variables.product.prodname_emus %}, you can choose to publish your project sites privately or publicly to anyone on the internet. diff --git a/data/features/pkce_support.yml b/data/features/pkce_support.yml new file mode 100644 index 000000000000..7a488e71f18b --- /dev/null +++ b/data/features/pkce_support.yml @@ -0,0 +1,5 @@ +# Reference: github/docs-content#18773 +# Support for PKCE in GitHub Apps and OAuth apps +versions: + fpt: '*' + ghec: '*' diff --git a/data/reusables/apps/web-app-flow-exchange-code.md b/data/reusables/apps/web-app-flow-exchange-code.md index 23098943045e..b5da9d3dcf52 100644 --- a/data/reusables/apps/web-app-flow-exchange-code.md +++ b/data/reusables/apps/web-app-flow-exchange-code.md @@ -6,4 +6,5 @@ `client_secret` | `string` | **Required.** The client secret for your {% data variables.product.prodname_github_app %}. You can generate a client secret on the settings page for your app. `code` | `string` | **Required.** The code you received in the previous step. `redirect_uri` | `string` | The URL in your application where users will be sent after authorization. This must be an exact match to one of the URLs you provided as a "Callback URL" when setting up your {% data variables.product.prodname_github_app %} and can't contain any additional parameters. +{% ifversion pkce_support %} `code_verifier` | `string` | Strongly recommended | Used to secure the authentication flow with PKCE (Proof Key for Code Exchange). Required if `code_challenge` was sent during the user authorization. Must be the original value used to generate the `code_challenge` in the authorization request. This can be stored in a cookie alongside the `state` parameter or in a session variable during authentication, depending on your application architecture.{% endif %} `repository_id` | `string` | The ID of a single repository that the user access token can access. If the {% data variables.product.prodname_github_app %} or user cannot access the repository, this will be ignored. Use this parameter to restrict the access of the user access token further.