How do I grant an application access to read Issues from a private repo?

I have an organizational OAuth application that I would like to be able to list issues from a private repo via the GitHub API.

The same organization owns both the application and the private repo. I’m able to access the GitHub API via the applications client_id and client_secret and everything authenticates correctly.

However, the application is unable to list issues from a private repo owned by the same organization, even after I’ve granted the application the repo scope from my personal account (I can see the repo from my own account).

Is it possible for an application to be granted access to a private repo? If so, what am I doing wrong and/or what scopes need to be granted for it to work?

Hey @kauffj!

To do this, you’ll have to Authorize the OAuth Application onto your account (even though it’s “your” app!), which will generate a token that you can use to authenticate against the API with. Right now, when you “authenticate as the app”, you’re only able to see public resources.

If you’re only planning on doing this for yourself, you can use the Non-Web application flow to accomplish this. I would recommend using this route, to create an authorization for the OAuth App you are trying to use:

Let me know if I’ve gotten this right, or if anything doesn’t make sense!

1 Like

Appreciate the help @nickvanw! Unfortunately, I’ve still been unable to get this working.

From your post, it sounds like the step that I was missing was taking the code value returned after granting the permission and exchanging it for an access_token.

So here’s what I’m doing now:

  • I’m hitting /login/oauth/authorize?client_id=<application_client_id>&scope=repo on my personal account.

  • I’m granting access from my personal account to the app. I can see this show up as an authorized OAuth app with the proper scope in my personal settings.

  • I’m POSTing to /login/oauth/access_token?code=<returned_code>&client_id=<same_application_client_id>&client_secret=<application_client_secret>

However, this third step returns “Not Found”. I tried re-authorizing the application to get a fresh code and I’m still getting this response.

1 Like

I just used a personal auth token, but a future reader may still want an answer to this question.