"Edit your organization membership" API not accessible via user-to-server GitHub app token


I’ve finally gotten around to trying to port a major GitHub OAuth application I’ve been using to the more modern GitHub App model, since so many things are improved.

However, I’m having issues with a particular user-to-server API that is descibed as being available: the REST v3 API “Edit your organization membership”, as documentd here https :// developer.github.com/v3/orgs/members/ #edit-your-organization-membership, indicates that a user can essentially accept their organization invitation, as themselves, with a PATCH to this endpoint marking their state as ‘active’, if they have a pending invite to the org.

We successfully use this API from our OAuth application. For that to work, we must:

  • have the OAuth app authorized by that org

  • have the ‘org:write’ scope via OAuth for the user (OAuth app model)

  • have invited the user

The GitHub Apps docs on ‘identifying and authorizing users’, as documented here  , clearly lists this API - “Edit your organization membership” - as OK for the GitHub App user-to-server flow https://developer.github.com/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps/

The docs also indicate that for GitHub Apps using the OAuth flow, that there is no longer a ‘scope’ concept, since the user is basically consenting as part of the approval. So, I feel like there may be a bug here.

So, when I issue the PATCH from my GitHub App as a user-to-server, using the user’s token received from OAuth via this GitHub app that I allowed, I get a 403 with this error message while posting the state:active paramters:

“You do not have access to this organization membership.”

Is this a bug, or are there other issues here? It almost feels like the behavior is slightly different, perhaps related to the scopes issue?

Thanks, and thank you for your help, it would be awesome to finally deprecate this old OAuth app model app for the GitHub App world!

If it helps pull telemetry… here are the headers associated with a sample of this error. I use the official octokit rest.js library that works for our OAuth app in this same call otherwise…

x-github-request-id: A955:02AD:B0A1EB:D240E0:5D800EE2

date: Mon, 16 Sep 2019 22:38:26 GMT

x-oauth-client-id: Iv1.a03c550179fc7393

This functionality is important, since it lets us offer a more smooth onboarding experience to our users joining our GitHub organizations: we are able to:

  • ask the user to authenticate with our GitHub App via the OAuth client ID and secret and standard flow (no scope since that is not a GitHub App thing)
  • use the GitHub API to invite a user to our organization using our GitHub App installation token
  • use the user’s OAuth token to PATCH to the API discussed here to edit a user’s membership by accepting their invitation to the org (this does not work right now with our GitHub App)

The identical code in our OAuth app and the same everything else is:

  • ask the user to auth with our OAuth app via a GitHub OAuth app ID and secret and scope of “org:write”
  • use one of our org owner’s tokens to invite the user to the organization
  • use the user’s OAuth token, with the org:write scope, to call the API to accept their invitation

This is way more simple than asking the user to check their e-mail for the invite, etc.


Note - sorry the forum seems to have bugs around showing HTML links right now, I had to remove all links to post this… 

Note: I’m able to simulate this same error scenario with a legacy OAuth app: 

  • ‘Deny access’ to the OAuth app within the org’s third-party access list of approved legacy OAuth apps
  • The same “You do not have access to this organization membership.” error appears when using the user’s GitHub token as auth’d via the OAuth flow with the org:write scope

If I then go back to the third-party access page for the legacy app, and ‘Allow access’, the API call completes OK.

x-github-request-id C190:36ED:27286B0:2E8EE5A:5D813B59 is the legacy OAuth app equivalent request that failed after denying the legacy app third-party access.

I should also note, the GitHub App is from another organization separate from the org I have installed the GitHub App on. I would assume that installing the GitHub App on an org would be equivalent to authorizing an OAuth app to be used on that org.

Thanks for any insight.

This was recently fixed by the API team (thanks)!