What is "User authorization callback URL" for?

I’ve set “User authorization callback URL”  in my “Github App” settings and when a user installed my app, they are not taken to that URL.

I expected the user to be taken to the URL I’ve entered for “User authorization callback URL” not taken to the github installations page.

I tried to set the “Setup URL (optional)” and this gives me the desired behavior.

What is “User authorization callback URL” for?

Hi @unformatt,

Thanks for being here! Per the docs did you set up a route to specify what the callback should do?

1 Like

Hi AndreaG,

Yes, my server is ready to accept the callback URL. However, Github is not redirecting the user to the callback URL. It’s not a matter of 404 as mentioned in your link. Github is redirecting back to Github, not my site.

Thanks

Matt

Hi @unformatt,

Did you ever solve this? I have the exact same problem - the “User authorization callback URL” appears to be a no-op. The user is never brought there, and no messages are sent to that URL, it just redirects to https://github.com/settings/installations/xxxx.

@jonathan-marcus - I can’t remember how I got around it. I think when the user first installs the apps, it works (i.e. redirects) but after that, if they just updated settings, it does not redirect. I never found a way around it. Very bad UX for my users.

Yeah, it’s not good. I don’t remember all the different combinations I’ve tried, but I currently have “Request user authorization (OAuth) during installation” checked and it does send me to this URL. I tried having the “Setup URL” specified also, but I was never able to get it really correct. I am okay right now, I do get a redirect after the GitHub app is installed, but it feels very fragile.

:wave: @unformatt!

There are two types of API authorization for GitHub Apps:

  1. Server-to-server, where the App acts as itself and authenticates using an installation access token (tied to a specific installation)
  2. User-to-server, where the App acts on behalf of a user and authenticates using an OAuth token (tied to a combination of the user and any installations on accounts the user has access to)

The “User authorization callback URL” is the URL that people are redirected to after they authorize your GitHub App to act on their behalf. This is the user-to-server OAuth flow for GitHub Apps.

For example, a user could visit https://github.com/login/oauth/authorize?client_id=Iv1.YourAppsClientIdHere and, if they agreed, click the “Authorize” button to grant your App authority to act on their behalf.

The “Setup URL” is the URL that people are redirected to after they install your App (either on their own user account, or on an organization to which they have access). Having your App installed somewhere is a prerequisite for authenticating as an installation (server-to-server).

These two things can happen independently, so there are two different URLs in the App’s settings that you can configure.

If you check the “Request user authorization (OAuth) during installation” box, user’s will always be asked to authorize (OAuth) your App when it’s installed and they will always be redirected to your App’s “User authorization callback URL” and not your App’s “Setup URL”.

In this case, if you always want your users to go through the OAuth flow after installation or updating their installation’s settings you should:

  1. Enter a URL in the “User authorization callback URL”
  2. Check the “Request user authorization (OAuth) during installation” box
  3. The “Setup URL” field will be disabled at this point
  4. Check the “Redirect on update” box

If you don’t need to use the OAuth flow with your GitHub App, then do the following:

  1. Leave the “User authorization callback URL” field blank
  2. Uncheck the “Request user authorization (OAuth) during installation” box
  3. Enter a URL in the “Setup URL” field
  4. Check the “Redirect on update” box

Users will always be redirected to your “Setup URL” whenever your App is installed, or an installation’s settings updated (E.g. repositories added/removed).