"Edit your organization membership" API not accessible via user-to-server GitHub app token #24811
-
Hi, I’ve finally gotten around to trying to port a major GitHub OAuth application I’ve been using to the more modern GitHub App model, since so many things are improved. However, I’m having issues with a particular user-to-server API that is descibed as being available: the REST v3 API “Edit your organization membership”, as documentd here https :// developer.github.com/v3/orgs/members/ #edit-your-organization-membership, indicates that a user can essentially accept their organization invitation, as themselves, with a PATCH to this endpoint marking their state as ‘active’, if they have a pending invite to the org. We successfully use this API from our OAuth application. For that to work, we must:
The GitHub Apps docs on ‘identifying and authorizing users’, as documented here , clearly lists this API - “Edit your organization membership” - as OK for the GitHub App user-to-server flow https://developer.github.com/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps/ The docs also indicate that for GitHub Apps using the OAuth flow, that there is no longer a ‘scope’ concept, since the user is basically consenting as part of the approval. So, I feel like there may be a bug here. So, when I issue the PATCH from my GitHub App as a user-to-server, using the user’s token received from OAuth via this GitHub app that I allowed, I get a 403 with this error message while posting the state:active paramters: “You do not have access to this organization membership.” Is this a bug, or are there other issues here? It almost feels like the behavior is slightly different, perhaps related to the scopes issue? Thanks, and thank you for your help, it would be awesome to finally deprecate this old OAuth app model app for the GitHub App world! If it helps pull telemetry… here are the headers associated with a sample of this error. I use the official octokit rest.js library that works for our OAuth app in this same call otherwise… x-github-request-id: A955:02AD:B0A1EB:D240E0:5D800EE2 date: Mon, 16 Sep 2019 22:38:26 GMT x-oauth-client-id: Iv1.a03c550179fc7393 This functionality is important, since it lets us offer a more smooth onboarding experience to our users joining our GitHub organizations: we are able to:
The identical code in our OAuth app and the same everything else is:
This is way more simple than asking the user to check their e-mail for the invite, etc. Jeff Note - sorry the forum seems to have bugs around showing HTML links right now, I had to remove all links to post this… |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
Note: I’m able to simulate this same error scenario with a legacy OAuth app:
If I then go back to the third-party access page for the legacy app, and ‘Allow access’, the API call completes OK. x-github-request-id C190:36ED:27286B0:2E8EE5A:5D813B59 is the legacy OAuth app equivalent request that failed after denying the legacy app third-party access. I should also note, the GitHub App is from another organization separate from the org I have installed the GitHub App on. I would assume that installing the GitHub App on an org would be equivalent to authorizing an OAuth app to be used on that org. Thanks for any insight. |
Beta Was this translation helpful? Give feedback.
-
This was recently fixed by the API team (thanks)! |
Beta Was this translation helpful? Give feedback.
This was recently fixed by the API team (thanks)!