Listing orgs for user doesn't work for GitHub App OAuth token

Summary

I want to list all of the authenticated user’s orgs. I’m not able to no matter what method I try.

  • /user/memberships/orgs: returns only orgs created by the user
  • /users/:username/orgs: returns only public memberships
  • /user/orgs: returns on orgs created by the user

I’m authenticating with my own GitHub App, it has Organizations > Members: Read-only. I’m passing user:email and read:org scopes when logging in via OAuth using that App’s credentials.

Hunch

For what it’s worth, this feels like a bug in handling GitHub App-based OAuth tokens in particular. I can’t imagine this is broken for everyone, but perhaps making this request via an App’s OAuth token is a small enough use-case to go unnoticed.

Details

I have a GitHub App, with access to read Organization Members:

Following the (i), that includes List organization memberships for the authenticated user. So far so good.

I am in 3 Organizations (all public membership):

But that’s not what I get back, I get just the one I created:

% curl --silent \
  -H "Authorization: token {redacted}" \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/user/memberships/orgs |
  jq '.[] | .organization.login' --raw-output
restyled-io

Just for fun, let’s try /users/pbrisbin/orgs Organizations - GitHub Docs

% curl --silent \
  -H "Authorization: token {redacted}" \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/users/pbrisbin/orgs |
  jq '.[] | .login' --raw-output 
yesodweb
freckle
restyled-io

So great, here we get all my orgs. But all my organizations are public and the documentation is very clear:

This method only lists public memberships, regardless of authentication. If you need to fetch all of the organization memberships (public and private) for the authenticated user, use the List organizations for the authenticated user API instead.

Onto /user/orgs then? Organizations - GitHub Docs

Again, something to pay attention to:

This only lists organizations that your authorization allows you to operate on in some way (e.g., you can list teams with read:org scope, you can publicize your organization membership with user scope, etc.). Therefore, this API requires at least user or read:org scope

No worries. I’ve gone through the OAuth2 login flow with user:email and read:org scopes to get the token I’m testing with.

% curl --silent \
  -H "Authorization: token {redacted}" \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/user/orgs |
  jq '.[] | .login' --raw-output 
restyled-io

I would expect all of these endpoints to return all 3 organizations. Further, I’d expect /user/memberships/orgs and /user/orgs to include orgs where my membership is private.

Is this a bug, or do I misunderstand something?