Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using access token as a member of an organization does not correctly authenticate #1775

Closed
egeexyz opened this issue Feb 28, 2018 · 4 comments
Closed

Using access token as a member of an organization does not correctly authenticate #1775

egeexyz opened this issue Feb 28, 2018 · 4 comments

Comments

@egeexyz
Copy link

egeexyz commented Feb 28, 2018

The documentation is grossly unclear in the distinction between an OAuth token for a OAuth Application and a Personal Access Token. However based on everything I've read, I have concluded that using a Personal Access Token does not authenticate correctly for members of an organization.

Use Case:

My GitHub account is associated with an organization for each every repository is private. With the rest API and other Frameworks (node-github), I use my Personal Access Token to authenticate and access the organization's repos.

According to the various documentation, the code to authenticate using OAuth is deceptively simple:

_client = new GitHubClient(new ProductHeaderValue("egee-irl"));
_client.Credentials = new Credentials("my_personal_access_token");

Unless I or the documentation has missed a step, this code does not result in authentication to the organization.
@shiftkey
Copy link
Member

@egee-irl the Octokit libraries don't really care about the source of the token, as it will always send Authorization: Token {token} when making requests. But the source of a token is important for organizations.

Personal access tokens:

  • are created by the user, and are restricted to the scopes the user assigns when creating them.
  • can access organization data unless the organization has enabled SAML single-sign on - then personal access tokens need to be authorized

OAuth applications:

  • need to be approved by the user before they can create an access token
  • may also need to be approved by the organization to access the organization data

My gut feeling is that the organization has enabled "OAuth App access restrictions" which means that applications need to be approved by the organization admin before the app can access the organization data.

Can you confirm that?

@ianfixes
Copy link

ianfixes commented Oct 23, 2018
edited
Loading

grossly unclear

I agree completely. Adding this info here (since this came up during my troubleshooting search):

I hesitated to grant my oauth token the scope for "Full control of private repositories" (repo), because it didn't sound read-only. A better description would be "Access all aspects of public and private repositories", and public_repo would add more clarity if it was the first sub-scope listed underneath.

But you do need the top-level repo scope checked, or your queries for private repos will just return an empty array (no errors).

@shiftkey
Copy link
Member

Closing this out due to inactivity.

Please open a fresh issue if there are things you would like to clarify.

@ianfixes ianfixes mentioned this issue Sep 17, 2019
Closed
@ianfixes
Copy link

Opened #2002

@ronkorving ronkorving mentioned this issue Oct 9, 2019
Closed
@afragen afragen mentioned this issue Jan 9, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@shiftkey @ianfixes @egeexyz