I’ve finally gotten around to trying to port a major GitHub OAuth application I’ve been using to the more modern GitHub App model, since so many things are improved.
However, I’m having issues with a particular user-to-server API that is descibed as being available: the REST v3 API “Edit your organization membership”, as documentd here https :// developer.github.com/v3/orgs/members/ #edit-your-organization-membership, indicates that a user can essentially accept their organization invitation, as themselves, with a PATCH to this endpoint marking their state as ‘active’, if they have a pending invite to the org.
We successfully use this API from our OAuth application. For that to work, we must:
have the OAuth app authorized by that org
have the ‘org:write’ scope via OAuth for the user (OAuth app model)
have invited the user
The GitHub Apps docs on ‘identifying and authorizing users’, as documented here , clearly lists this API - “Edit your organization membership” - as OK for the GitHub App user-to-server flow https://developer.github.com/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps/
The docs also indicate that for GitHub Apps using the OAuth flow, that there is no longer a ‘scope’ concept, since the user is basically consenting as part of the approval. So, I feel like there may be a bug here.
So, when I issue the PATCH from my GitHub App as a user-to-server, using the user’s token received from OAuth via this GitHub app that I allowed, I get a 403 with this error message while posting the state:active paramters:
“You do not have access to this organization membership.”
Is this a bug, or are there other issues here? It almost feels like the behavior is slightly different, perhaps related to the scopes issue?
Thanks, and thank you for your help, it would be awesome to finally deprecate this old OAuth app model app for the GitHub App world!
If it helps pull telemetry… here are the headers associated with a sample of this error. I use the official octokit rest.js library that works for our OAuth app in this same call otherwise…
date: Mon, 16 Sep 2019 22:38:26 GMT
This functionality is important, since it lets us offer a more smooth onboarding experience to our users joining our GitHub organizations: we are able to:
- ask the user to authenticate with our GitHub App via the OAuth client ID and secret and standard flow (no scope since that is not a GitHub App thing)
- use the GitHub API to invite a user to our organization using our GitHub App installation token
- use the user’s OAuth token to PATCH to the API discussed here to edit a user’s membership by accepting their invitation to the org (this does not work right now with our GitHub App)
The identical code in our OAuth app and the same everything else is:
- ask the user to auth with our OAuth app via a GitHub OAuth app ID and secret and scope of “org:write”
- use one of our org owner’s tokens to invite the user to the organization
- use the user’s OAuth token, with the org:write scope, to call the API to accept their invitation
This is way more simple than asking the user to check their e-mail for the invite, etc.
Note - sorry the forum seems to have bugs around showing HTML links right now, I had to remove all links to post this…