GitHub app and installation verification


Hi GitHub apps team,

My team is working on migrating our GitHub OAuth app to a GitHub app. We’re having some difficulty finding out who has installed the GitHub app and if the user we have on our end has access to that GitHub app.

Upon installation of the GitHub app the user gets redirected to our website. The only way we know what GitHub app they installed is by the installation_id query parameter in the request. Since this is a guessable id, this doesn’t seem very secure, so we thought about verifying the user’s access to the installation. We get the sender_id in the webhook, so we know which GitHub user installed it, but not necessarily who that is on our end unless we require users to have verified themselves with the GitHub app OAuth beforehand.

We don’t require users to use GitHub OAuth to sign in, so we’d need to prompt the user to do so upon installation, which feel very redundant. Is there a way we can require users to also authenticate with OAuth upon GitHub app installation?

Alternatively, what approach do you recommend here for verifying membership/access to a GitHub app for systems that don’t necessarily use GitHub OAuth?