Pass Information through GitHub App Installation Page


#1

Hello,

I have a GitHub app, and I link the installation page for that app through the website of the company I work for. On my company’s website, I have information that identifies a user’s account with my company. When a user installs the app, I get an installation Id that I can use to access the users information. However, I need the information from my company’s website to link the GitHub user account with my company’s account. Is there a way I can pass that information through the installation page, perhaps as a query string?

For example, in the authorization flow, I can add redirect_uri as a query string in the github auth url. In the redirect_uri, I can add the user information as a query string, and when the user hits the endpoint, I’ll have that user information. Is there anything similar I can do with the installation page?

Thanks


#2

Hi @J-Ragone,

if I understand this correctly, you would want to keep a state when redirecting a user to install an app, the same way the OAuth state parameter works?

I’m not sure 100% about this, so I’ll ask engineering about this. But I do now information about the installer is provided as part of the installation webhook:

Would that work for you?

Cheers,
Víctor


#3

Checked with engineering and can confirm we do not suppor this. Ideally, those parameters could be forwarded when redirecting to setup_url. I’ll fill internally a feature request for this.


#4

Hi @vroldanbet,

You are correct that I would like to keep a state when redirecting a user to install an app. I noticed that when authorizing an app, I can add redirect_uri in a query string before sending the user to the authorization page. To pass the user information, I created an endpoint to which I could briefly redirect the user after authorization and pass the identifying user information as a query string in the redirect_uri query string of the GitHub authorization page. At this authorization callback URL, I could link my company’s account to a user’s GitHub account, because GitHub authorization also passes an access token as a query string, so I could retrieve GitHub user information with that token and get the other information that identified a user of the company I work for also from a query string. With those two pieces of information, I could successfully link accounts between GitHub and my company.

The problem is, authorization of a GitHub app did not seem necessary to me (and please correct me if I am wrong), and I was only doing it for the sake of linking accounts through the process described above. As for the installation events, those arrive at my event endpoint, and I cannot determine to which account of my company that GitHub user information belongs. I need to have the user information of both GitHub and my company at the same place. This created a rather nasty installation flow, which I’ll outline below:

User is on my company’s webpage -> click button to install integration -> directed to github app authorization page with my company’s user info in query string of redirect_uri -> user authorizes app -> directed to my authorization callback URL -> get github user info with access token from query string -> get my company’s user info from query string -> link accounts -> direct to installation page -> user installs app -> receive an installation event and update the account link with the installation Id instead of the access token -> user is directed to Setup URL

As you have pointed out, it would be ideal if there were a setup_url query string, similar to the authorization’s redirect_uri, as that would eliminate the need for me to ask users to authorize the GitHub app. Ideally my installation flow would be the following:

User is on my company’s webpage -> click button to install integration -> directed to github app installation page with my company’s user info in query string of setup_url -> user installs bot -> user is directed to Setup URL -> get github user info with installation Id from query string -> get my company’s user info from query string -> link accounts

Thank you very much for filling a feature request for this, and I’ll be eagerly awaiting a status update on this feature’s progress.

Best,
John Ragone