What are the security protections for organisations and forked repos with respect to oauth apps?

I have a github account connected to 3 organisations with oauth app access restrictions. Additionally, this account has forked private repos from within those organisations (due to not having write access to every repo in the org, this is the best way we know to raise a PR against them).

When an oauth app (in this case, CodeSandbox) requests access to my github account, it specifies read and write access to public and private repositories. Below, all the orgs have an x and a message saying that until approved, the app cannot access private data of the orgs. This is good, as I do not want to grant access to the orgs private data

My questions:

  • Would the forked private repos from the org be readable for an app enabled to read private repos on my account, given that they were forked from an org with oauth app restrictions?
  • If those forked repos were not on my account (say I deleted them), would there be any way for an org to be compromised by an app being given oauth access to my account, provided those orgs always have oauth app restrictions and never allow that app?
1 Like

Hi @BryceKK! :wave: Welcome to the Community!

  • Private forks inherit the permissions structure of the upstream or parent repository, so if apps are restricted upstream, they’ll also be restricted on the forks.

  • No, there’s no way for an OAuth App to get access to an org through your account when the org has restrictions in place.