You are correct that I would like to keep a state when redirecting a user to install an app. I noticed that when authorizing an app, I can add
redirect_uri in a query string before sending the user to the authorization page. To pass the user information, I created an endpoint to which I could briefly redirect the user after authorization and pass the identifying user information as a query string in the
redirect_uri query string of the GitHub authorization page. At this authorization callback URL, I could link my company’s account to a user’s GitHub account, because GitHub authorization also passes an access token as a query string, so I could retrieve GitHub user information with that token and get the other information that identified a user of the company I work for also from a query string. With those two pieces of information, I could successfully link accounts between GitHub and my company.
The problem is, authorization of a GitHub app did not seem necessary to me (and please correct me if I am wrong), and I was only doing it for the sake of linking accounts through the process described above. As for the installation events, those arrive at my event endpoint, and I cannot determine to which account of my company that GitHub user information belongs. I need to have the user information of both GitHub and my company at the same place. This created a rather nasty installation flow, which I’ll outline below:
User is on my company’s webpage -> click button to install integration -> directed to github app authorization page with my company’s user info in query string of
redirect_uri -> user authorizes app -> directed to my authorization callback URL -> get github user info with access token from query string -> get my company’s user info from query string -> link accounts -> direct to installation page -> user installs app -> receive an installation event and update the account link with the installation Id instead of the access token -> user is directed to Setup URL
As you have pointed out, it would be ideal if there were a
setup_url query string, similar to the authorization’s
redirect_uri, as that would eliminate the need for me to ask users to authorize the GitHub app. Ideally my installation flow would be the following:
User is on my company’s webpage -> click button to install integration -> directed to github app installation page with my company’s user info in query string of
setup_url -> user installs bot -> user is directed to Setup URL -> get github user info with installation Id from query string -> get my company’s user info from query string -> link accounts
Thank you very much for filling a feature request for this, and I’ll be eagerly awaiting a status update on this feature’s progress.