We are struggling with designing our new Github integration for the same reasons. Here are our thoughts:
TLDR; We think it’s in everyone’s best interest for Github to enable OAuth applications to add integrations to repositories.
We see the root cause of many issues (from this thread and others) to be the issue explained by @jmilas: OAuth is scoped at the account level, and integrations/installations are intended to be scoped to the repository level. Indeed, we recognize the incompatibility of scopes to be a quandary. Integrations were clearly intended to address the “Over-scoping” complaints present with OAuth. That intention seems to make enabling “Over-scoped OAuth” to add the “Limited-Scope” integrations seem silly.
Despite these factors, it seems clear that the majority of third parties who would use integrations will likely wish to initiate the flow from their application. The reason the OAuth flow has been so successful is that it targets and addresses this most common use case. While we acknowledge the challenge and reasoning behind the decision, the reality seems to be that the current vision and design do not meet the needs of the EA developers who are trying to do very normal things.
With that said, it is most certainly possible for Github to add this functionality, which would solve the needs of everyone in this thread. It is only a matter of a design decision by Github not to do so. We agree that Github should continue to work out a full-featured OAuth-free workflow over time because it’s valuable. However we don’t agree that adding integrations via OAuth should be forbidden for several reasons. At the very least, it violates the principle of least surprise. Using the OAuth flow, an application can be granted rights to perform virtually any operation on a repository, including deleting the repository or adding a webhook to it. However, adding an integration to a repository is forbidden which appears arbitrary and short-sighted on the surface.
Objectively speaking, it seems like the type of controversial decision Github will be trying to justify to the community indefinitely, and will keep coming up in the forums. It makes sense from one point of view, but doesn’t make sense from most points of view.
It’s worth noting that we’ve set up our applications to use both OAuth and Integrations because they solve different problems. We are using OAuth to enable the user to authenticate to our application using Github credentials and create issues. At the same time, we are using integrations for performing repository operations because it has advantages like auto-creating webhooks, and the token scheme is better. The only thing that is unpleasent is that we have to tell the user to go through two integration processes, and that’s what we’d like to see changed.