I’m confused about how a GitHub app can distinguish between different users of the app.
I created an experimental GitHub App, I can see now that in my user Settings under Developer Settings under GitHub Apps the app is listed.
I can click the app name and see the app’s configuration (url, callback url, webhook url etc) at the bottom I can also see details about the private key (which I have generated in my case) as well as client-id and client-secret.
So does the above define the App itself in GitHub, is this distinct from any usage of that app?
I can see also under the Settings for one of my repos that the app is listed under Integration and Services (I of course did this) and I can configure the app by pressing Configure. In there I’ve given the app read access to this repo.
Is this definition purely concerned with my specific usage of the app? rather than anything to do with the app itself?
What’s not clear to me is that it is the app itself that has a private key, client_id and client_secret not the particular installation of the app, so how does the app associate what it does (API calls etc) with the specific user account that an app user wants to target?
I read about authenticating as an installation but still not really clear on how - after do that - we can identify the specific user who the app may be acting on behalf of.
Is it the case that this doesn’t matter? After we get the “installation access token” is that all we need? if the user of the app tries to access this or that repo is it GitHub that checks to see if the app is installed on that repo and what permisisons are set etc?
Also I was studying this webhooks article earlier and that acquires access by leveraging an “installation ID” which is sent as part of the webhook event payload, but what if we want to initiate access from the app without any webhook being involved? in such a case where would we get an installation id?