How to access raw content from a private org repo (behind SSO) using OAuth access token


I am trying to fetch the content of a file using a ‘raw’ URL ( That file is from a private repository in an Organization using SSO. I can fetch the file using a Personal Access Token (PAT), but not using an OAuth access token.

Here is what I did:

  1. I created a PAT and enabled SSO for that token.(GITHUB_PAT_TOKEN=ghp_MNxHStN2MYXzD..........GI3zSBZ9)
  2. I created an OAuth application in my organization (to be transparent, I first created it under my account and transferred ownership to my org afterward)
  3. I requested an OAuth token using my registered application clientID and secret. (GITHUB_OAUTH_TOKEN=gho_bosr611HZ1Don..........VO0XWMr7)

I can hit using both PAT or OAuth token and I get a valid JSON describing my user:

curl  -X GET -H "Authorization: token $GITHUB_PAT_TOKEN"   -H "Accept: application/vnd.github.v3+json"
curl  -X GET -H "Authorization: token $GITHUB_OAUTH_TOKEN"   -H "Accept: application/vnd.github.v3+json"

So this tells me that my PAT and OAuth tokens are valid.

When I try to fetch a file from a private repository, only the call using the PAT works:

# No Authorization header
curl  -X GET
404: Not Found

# Using Authorization header with OAuth access token
curl  -X GET -H "Authorization: token $GITHUB_OAUTH_TOKEN"
404: Not Found

# Using Authorization header with PAT
curl  -X GET -H "Authorization: token $GITHUB_PAT_TOKEN"
<content of file.yaml>

What’s missing to make this work using my OAuth access token? Is it something even possible?

Note: To give more context on what I am trying to do, I have an application using Keycloak as an Identity Broker and GitHub is a configured Identity Provider. The OAuth application that I registered at the start of this post is for Keycloak. A user can authenticate to my application using GitHub as the identity provider. Once authenticated, Keycloak stores the token returned by GitHub and the user can retrieve it on demand to access files in GitHub.

The solution to my problem was a missing scope when requesting an OAuth token. I needed to add repo as scope. By default, it was only user:email.