GraphQL API v4 - "Resource not accessible by integration" when accessing a user's email address

I’m experimenting with a GitHub App where I’m having a bad time trying to access a user’s email address via the GraphQL v4 API. I’m identifying users as explained here . For sanity check and to help the support team with debugging, I’ll include a series of points below:

App is public:  yes

The user I’m trying to fetch the data is the owner of the app:  yes
**Request user authorization (OAuth) during installation: **yes

What kind of token I’m trying to use:  an OAuth Access Token as received during the final portion of the step indicated here 
GitHub App Repository Permissions: 

  • Actions: No access
  • Administration: Read
  • Checks: Read
  • Content references: Read
  • Contents: Read
  • Deployments: Read
  • Issues: Read
  • Metadata: Read
  • Pages: Read
  • Pull Requests: Read
  • Webhooks: Read
  • Projects: Read
  • Secrets: No access
  • Single file: No access
  • Commit statuses: Read
  • Security alerts: No access

Organization permissions:

  • Members: Read
  • Administration: Read
  • Webhooks: Read
  • Plan: Read
  • Projects: Read
  • Blocking Users: Read
  • Team discussions: Read

User permissions:

  • Block another user: Read
  • Email addresses: Read
  • Followers: Read
  • GPG Keys: Read
  • Git SSH Keys: Read
  • Plan: Read
  • Starring: Read
  • Watching: Read

Login Flow

Here I’m posting the screens from the login flow.

As you may see it seems like I’ve got all necessary permissions to access the user’s email.

Command To Reproduce

curl --location --request POST 'https://api.github.com/graphql' \
--header 'Content-Type: application/json' \
--header 'Authorization: token <oauth_access_token>' \
--data-raw '{"query":"query ($login: String!) {\n user(login: $login) {\n id\n login\n name\n email\n }\n}\n","variables":{"login":<login>}}'

Problem

The API returns the following:

<font size="3">{
    "data": {
        "user": null
    },
    "errors": [
        {
            "type": "FORBIDDEN",
            "path": [
                "user",
                "email"
            ],
            "extensions": {
                "saml_failure": false
            },
            "locations": [
                {
                    "line": 6,
                    "column": 5
                }
            ],
            "message": "Resource not accessible by integration"
        }
    ]
}</font>

although, sending a request to REST API v3 using the same OAuth Access Token returns the user’s email address:

<font size="3">curl -v -H "Authorization: token &lt;access_token&gt;" https://api.github.com/user/emails
* Trying 140.82.118.5...
* TCP_NODELAY set
* Connected to api.github.com (140.82.118.5) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.com
* start date: Jul 8 00:00:00 2019 GMT
* expire date: Jul 16 12:00:00 2020 GMT
* subjectAltName: host "api.github.com" matched cert's "*.github.com"
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
* SSL certificate verify ok.
&gt; GET /user/emails HTTP/1.1
&gt; Host: api.github.com
&gt; User-Agent: curl/7.64.1
&gt; Accept: */*
&gt; Authorization: token &lt;access_token&gt;
&gt;
&lt; HTTP/1.1 200 OK
&lt; Date: Tue, 11 Feb 2020 21:49:54 GMT
&lt; Content-Type: application/json; charset=utf-8
&lt; Content-Length: 479
&lt; Server: GitHub.com
&lt; Status: 200 OK
&lt; X-RateLimit-Limit: 5000
&lt; X-RateLimit-Remaining: 4973
&lt; X-RateLimit-Reset: 1581457848
&lt; Cache-Control: private, max-age=60, s-maxage=60
&lt; Vary: Accept, Authorization, Cookie, X-GitHub-OTP
&lt; ETag: "acbce287f01e395cf956b917382f978b"
&lt; X-OAuth-Scopes:
&lt; X-Accepted-OAuth-Scopes:
&lt; X-OAuth-Client-Id: &lt;redacted&gt;
&lt; X-GitHub-Media-Type: github.v3; format=json
&lt; Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type
&lt; Access-Control-Allow-Origin: *
&lt; Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
&lt; X-Frame-Options: deny
&lt; X-Content-Type-Options: nosniff
&lt; X-XSS-Protection: 1; mode=block
&lt; Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
&lt; Content-Security-Policy: default-src 'none'
&lt; Vary: Accept-Encoding, Accept
&lt; X-GitHub-Request-Id: DF6F:40378:57F770:6B4C51:5E432182
&lt;
&lt;body redacted for privacy reasons&gt;
* Connection #0 to host api.github.com left intact
* Closing connection 0</font>

I’m at a loss at what’s happening here. As you may have seen my previous post I had this same problem but while trying to access the user’s Pull Requests instead. However, after turning my GitHub App public I now am able to access the user’s Pull Requests but lost access to the user’s email address.

If I’m doing something wrong or have something misconfigured I have no idea where or how. I’ve been reading the documentation for GraphQL/GitHub Apps/Authentication back and forth for hours now and I can’t understand what’s wrong.

Note: this issue here seems very similar to mine, but the marked solution does not solve anything for my case because I’m already performing a user-to-server request using the OAuth token received during the authentication flow.

1 Like