GitHub Apps (integration) - access per user?


#1

Hello,
I am building a bot for a team. I need that bot to have access in an organization’s repos but i some users only should access only some of the repos. Is that possible or should i use oauth instead?

Thanks!


#2

If you’re building a bot, then it sounds like you need a GitHub App rather than an OAuth app.

When you say that some users should only have access to some repos, are you talking about human users or bots? With humans you can use GitHub teams to manage access to different repositories.


#3

When i say users i mean humans.

For example let’s say i have repo1 and repo2, a user, an admin and my bot. (User and admin are humans).
User, admin and bot are talking through slack app. When user asks bot for something i want to have access only in repo1 but when admin asks for something i want him to have access to both repos.

I hope you understand what i mean.


#4

Yepp, that makes sense.

I think there are a couple of ways you could go about this (probably more than that). Either way, a GitHub App seems to be the best fit for this.

With GitHub Apps you can also do OAuth for the users—so if each user has to authorize before calling the bot, then you’d be able to use their access token to only give them access to the repos they already have access to.

Another option would be to have the bot check the teams they’re on, and the permissions of those teams against the repositories. I suspect that this might be a bit more work though, as you’d have to do the lookup every time.

Having written all that out I actually think that the GitHub App with the additional OAuth verification for users is the right way to go.

If you go to the “general” tab of your GitHub App and scroll to the bottom you’ll see the OAuth credentials.


#5

Your suggestion (GitHub app with oauth) is kinda what i was thinking off but i wasn’t sure if it was possible. Now it’s more clear. Thanks for your time and your response, it was helpful!

-Andreas


#6

Hi,

I’ve got a similar question, maybe you know the answer.

I also develop a bot and I need to map chat users to github users. Github Oauth let me do this (I use parameters in redirect_url to make the mapping).

AND I also want to receive the webhooks, which I can easily get with Github App. (the redirect url must match the one in the app, so I cannot pass any parameters).

However, I cannot find a way to have user mapping + webhook. (I could use GIthub Oauth + API to setup webhooks for all repositories, but it doesn’t feel right).

Any suggestions?

Thanks,
Leo


#7

What if you set up a GitHub app and in general settings tab of your GitHub app you can set the webhook URL where webhooks are sent to you. And as kytrinyx said, at the bottom of that page you will find oauth credentials so you can authorize your users


#8

@andreash92, thanks.

Does it mean a customer needs to install the Github App + also account bind every user using Github Oauth?


#9

You will create the GitHub app once and install it to your organization or user profile. Usually this is done by the owner of the organization. After that, each user will have to authorize their account using oauth. What i do, is to authorize my users, receive their token and save it (encrypted) in a database and use it every time i have to.
Hope it helps


#10

@andreash92 are you saving that token to make a " offband " api request on user’s behalf ? Since github app which can make api requests as itself, curious what is the use case under which you’d need to make an api request as the user.


#11

Yes

[quote=“meowlicious, post:10, topic:2448”]
Since github app which can make api requests as itself, curious what is the use case under which you’d need to make an api request as the user.
[/quote] the GitHub app will have access to all repos of the organization but i want some users to access only certain repos


#12

hello there,
i did what we were talking about (Github App with Github Oath for the users) but i have a problem when calling some endpoints using user’s token*.

For example when i use
GET /repos/:owner/:repo/issues
for a private repo of mine i get a 404: Not Found error.
(Based on this here it seems that this endpoint is enabled for Github Apps so i am guessing i should be ok requesting data from this endpoint.)

Also, after some testing it seems that only these endpoints here works well.

*For generating a user’s token, i followed the instruction here.

Do i misunderstood the way Github Apps work?
Any help would be appreciated.


#13

@andreash92 Ah, yes, I see what you mean. No, you haven’t misunderstood. There are two types of enablement for GitHub Apps:

  • server to server (which is when the app itself makes a request)
  • user to server (which is when the app makes a request using the access token from a user)

A lot more endpoints are enabled for server-to-server calls than for user-to-server calls, so it’s quite likely that you’ve run into an area where it’s enabled for the app but not for users within the app. I know this is frustrating.

We’re working on a full audit of the entire API to see what is enabled for whom and where, and once we have done that we will be able to provide a much better idea of when endpoints will become available both for apps, and for users via apps.


#14

Thanks for the reply, it makes more sense now.

So what i understood is that:

Correct me if i am wrong.

Thanks once again


#15

That looks right to me!

I’ll ping back in this thread when we’ve gotten through the audit to let you know what the plan is.