Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Copilot Lvl 3
Message 1 of 1

GraphQL API v4 - "Resource not accessible by integration" when accessing a user's email address

I'm experimenting with a GitHub App where I'm having a bad time trying to access a user's email address via the GraphQL v4 API. I'm identifying users as explained here . For sanity check and to help the support team with debugging, I'll include a series of points below:

 

App is public: yes

The user I'm trying to fetch the data is the owner of the app: yes
Request user authorization (OAuth) during installation: yes

What kind of token I'm trying to use: an OAuth Access Token as received during the final portion of the step indicated here 
GitHub App Repository Permissions: 

  • Actions: No access
  • Administration: Read
  • Checks: Read
  • Content references: Read
  • Contents: Read
  • Deployments: Read
  • Issues: Read
  • Metadata: Read
  • Pages: Read
  • Pull Requests: Read
  • Webhooks: Read
  • Projects: Read
  • Secrets: No access
  • Single file: No access
  • Commit statuses: Read
  • Security alerts: No access

Organization permissions:

  • Members: Read
  • Administration: Read
  • Webhooks: Read
  • Plan: Read
  • Projects: Read
  • Blocking Users: Read
  • Team discussions: Read

User permissions:

  • Block another user: Read
  • Email addresses: Read
  • Followers: Read
  • GPG Keys: Read
  • Git SSH Keys: Read
  • Plan: Read
  • Starring: Read
  • Watching: Read

 

Login Flow

Here I'm posting the screens from the login flow.

Screenshot 2020-02-11 at 22.03.08.pngScreenshot 2020-02-11 at 22.03.51.pngScreenshot 2020-02-11 at 22.03.58.png

As you may see it seems like I've got all necessary permissions to access the user's email.

Command To Reproduce

curl --location --request POST 'https://api.github.com/graphql' \
--header 'Content-Type: application/json' \
--header 'Authorization: token <oauth_access_token>' \
--data-raw '{"query":"query ($login: String!) {\n user(login: $login) {\n id\n login\n name\n email\n }\n}\n","variables":{"login":<login>}}'

 

Problem

The API returns the following:

 

{
    "data": {
        "user": null
    },
    "errors": [
        {
            "type": "FORBIDDEN",
            "path": [
                "user",
                "email"
            ],
            "extensions": {
                "saml_failure": false
            },
            "locations": [
                {
                    "line": 6,
                    "column": 5
                }
            ],
            "message": "Resource not accessible by integration"
        }
    ]
}

 

although, sending a request to REST API v3 using the same OAuth Access Token returns the user's email address:

curl -v -H "Authorization: token <access_token>" https://api.github.com/user/emails
*   Trying 140.82.118.5...
* TCP_NODELAY set
* Connected to api.github.com (140.82.118.5) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.com
*  start date: Jul  8 00:00:00 2019 GMT
*  expire date: Jul 16 12:00:00 2020 GMT
*  subjectAltName: host "api.github.com" matched cert's "*.github.com"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
*  SSL certificate verify ok.
> GET /user/emails HTTP/1.1
> Host: api.github.com
> User-Agent: curl/7.64.1
> Accept: */*
> Authorization: token <access_token>
>
< HTTP/1.1 200 OK
< Date: Tue, 11 Feb 2020 21:49:54 GMT
< Content-Type: application/json; charset=utf-8
< Content-Length: 479
< Server: GitHub.com
< Status: 200 OK
< X-RateLimit-Limit: 5000
< X-RateLimit-Remaining: 4973
< X-RateLimit-Reset: 1581457848
< Cache-Control: private, max-age=60, s-maxage=60
< Vary: Accept, Authorization, Cookie, X-GitHub-OTP
< ETag: "acbce287f01e395cf956b917382f978b"
< X-OAuth-Scopes:
< X-Accepted-OAuth-Scopes:
< X-OAuth-Client-Id: <redacted>
< X-GitHub-Media-Type: github.v3; format=json
< Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type
< Access-Control-Allow-Origin: *
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< X-Frame-Options: deny
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
< Content-Security-Policy: default-src 'none'
< Vary: Accept-Encoding, Accept
< X-GitHub-Request-Id: DF6F:40378:57F770:6B4C51:5E432182
<
<body redacted for privacy reasons>
* Connection #0 to host api.github.com left intact
* Closing connection 0

 

I'm at a loss at what's happening here. As you may have seen my previous post I had this same problem but while trying to access the user's Pull Requests instead. However, after turning my GitHub App public I now am able to access the user's Pull Requests but lost access to the user's email address.

If I'm doing something wrong or have something misconfigured I have no idea where or how. I've been reading the documentation for GraphQL/GitHub Apps/Authentication back and forth for hours now and I can't understand what's wrong.

Note: this issue here seems very similar to mine, but the marked solution does not solve anything for my case because I'm already performing a user-to-server request using the OAuth token received during the authentication flow.