Correlating installation_id w/ external app user account


#1

Not sure if this is already documented somewhere, but I’m having trouble figuring out how to get the current Integration API to work for my current use case.

Use Case:

UserX is logged into AppX. AppX directs user to integration installation page, user installs integration. AppX receives installation token and wants to correlate the installation_id with UserX in order to make outbound API calls to GitHub (create commits, etc).

I can’t come up with a secure way to support this flow currently.

OAuth obviously supports this, but the ability to grant write permissions on a per-repo basis is an extremely compelling reason to use the new integrations API & our customers would love this fine-grained control.

Cheers!


#2

Hey @bkendzior :wave:

I’m not really sure I understand the flow you described or what you’re trying to accomplish, so I’d like to ask a few clarifying questions. :smile:

What do you mean by “UserX is logged into AppX”? Is AppX an integration and how is it relevant for this scenario? Also, when you say “AppX receives installation token” do you mean “Integration obtains an installation token via the exchange described here: https://developer.github.com/early-access/integrations/authentication/#as-an-installation” or do you mean something else?

Also, I’m not sure I understand what is the correlation between UserX and the installation_id which you’d like to uncover and how you’d like that correlation to be delivered to you. Could you share more details about that? Is UserX the user that installed the integration and you want to know which user that is? And why do you need this correlation in order to make GitHub API calls? Are you looking to perform some actions on behalf of that user that installed the integration?

In other words, a bit more detailed description and more examples might help us understand your use-case and perhaps point you in the right direction.

Thanks!


#3

I believe that @bkendzior is asking about how to support the use case where a user is authenticated with a non-GitHub account for a different service. This service wants to associate an installation with the non-GitHub user, but there is no way to do this without having the user go through an OAuth flow with GitHub.


#4

@arbesfeld Thanks for jumping in! Yeah, @bkendzior reached out via DM and shared more context about their use case – sorry for not following up here.

There are some guidelines for identifying users available here, but that’s currently focused on flows starting from GitHub and leading to the external application (inside-out flow). The team is still working on supporting flows that start from an external application and end on GitHub (outside-in flow) which would allow you to identify users and see what they have access to. This is also mentioned here.

We’ll followup here and add more documentation once there’s more news on this, but I can’t promise when that will happen.