Incorrect check for personal access token permissions


#1

I get this weird error from the GraphQL API:

Your token has not been granted the required scopes to execute this query. The ‘__typename’ field requires one of the following scopes: [‘read:org’], but your token has only been granted the: [‘admin:org_hook’, ‘admin:repo_hook’, ‘delete_repo’, ‘gist’, ‘notifications’, ‘repo’, ‘user’, ‘write:org’] scopes. Please modify your token’s scopes at: https://github.com/settings/tokens.

I’m trying to list all the user in an organization, but it fails that way. The incorrect thing here is that my token does not just have read:org permissions, but also write:org (which implies read:org). When I downgraded the permissions to just read:org it started to work. Ditto for admin:org.

Can you please fix this? :slight_smile:


#2

:wave: Hi @skanev,

Thank you for the feedback!

I just mentioned this in another thread, but I agree that the OAuth scope support for the GitHub GraphQL API is admittedly not as full featured as we’d like during the Early Access period.

The problem is that in the GraphQL API, this isn’t quite true:

(which implies read:org)

Right now, we don’t have support for parent-child relationships in the GraphQL API. Our medium to long term goal is to incorporate the granular access permissions of Integrations into the GraphQL API, though.

Thank you again very much for the feedback. I’ve tracked it in an internal issue of users facing similar friction with OAuth scopes in the GraphQL API.