Correct place to create an OAuth Application

We have developed back-end application which is capable of listing authenticated user’s organizations, repositories etc.
This application uses GitHub OAuth2 Web flow as the authentication mechanism.
In order to work with this application first, we need to created an OAuth application within the GitHub.
With regard to this, There are two ways how we can create an OAuth application in GitHub.

  • One is within a organization space
  • Other one is within a respective user’s space.

In a situation where we are listing user’s organizations and repositories etc., in which of above space we should create the OAuth application?

  • Should we create a dedicated organization only to hold the OAuth application?
  • Should we create an OAuth application within a particular user’s spcace? (admin user etc.)

Hey there @gbidsilva

This is such a great question! Thanks for asking it, and hopefully I do you justice with my answer. :crossed_fingers:

I would say the consideration you’re pondering (Org vs User ownership) is an important one! I would say however, that access to the information (users orgs and repos) the app queries for, is less impacted by where the app is maintained - be that within an Organization, or User account - than it might seem.

The permissions to query the data come from the installation of the individual entity. Which can also be at the Org, or User level.

Relevant docs for application permissions are, here:

So I would suggest that the real consideration you would want to define for yourself, is how the future maintenance of the app will be organized. Will an Organization that owns the app potentially dissolve, leaving the app in an inaccessible state? Or similarly, will the User account that maintains ownership of the account decide to no longer allow access to its maintenance, or take it down arbitrarily?

Ultimately, the ability to access a User’s Repo and Org data, depends on where your users install your app, and the permissions that are required.

I really hope that makes sense! Please let us know if there’s anything remaining you’d like some guidance on.

1 Like