I've finally gotten around to trying to port a major GitHub OAuth application I've been using to the more modern GitHub App model, since so many things are improved.
However, I'm having issues with a particular user-to-server API that is descibed as being available: the REST v3 API "Edit your organization membership", as documentd here https :// developer.github.com/v3/orgs/members/ #edit-your-organization-membership, indicates that a user can essentially accept their organization invitation, as themselves, with a PATCH to this endpoint marking their state as 'active', if they have a pending invite to the org.
We successfully use this API from our OAuth application. For that to work, we must:
- have the OAuth app authorized by that org
- have the 'org:write' scope via OAuth for the user (OAuth app model)
- have invited the user
The GitHub Apps docs on 'identifying and authorizing users', as documented here , clearly lists this API - "Edit your organization membership" - as OK for the GitHub App user-to-server flow https://developer.github.com/apps/building-github-apps/identifying-and-authorizing-users-for-github-...
The docs also indicate that for GitHub Apps using the OAuth flow, that there is no longer a 'scope' concept, since the user is basically consenting as part of the approval. So, I feel like there may be a bug here.
So, when I issue the PATCH from my GitHub App as a user-to-server, using the user's token received from OAuth via this GitHub app that I allowed, I get a 403 with this error message while posting the state:active paramters:
"You do not have access to this organization membership."
Is this a bug, or are there other issues here? It almost feels like the behavior is slightly different, perhaps related to the scopes issue?
Thanks, and thank you for your help, it would be awesome to finally deprecate this old OAuth app model app for the GitHub App world!
If it helps pull telemetry... here are the headers associated with a sample of this error. I use the official octokit rest.js library that works for our OAuth app in this same call otherwise...
Solved! Solved! Go to Solution.
Note: I'm able to simulate this same error scenario with a legacy OAuth app:
If I then go back to the third-party access page for the legacy app, and 'Allow access', the API call completes OK.
x-github-request-id C190:36ED:27286B0:2E8EE5A:5D813B59 is the legacy OAuth app equivalent request that failed after denying the legacy app third-party access.
I should also note, the GitHub App is from another organization separate from the org I have installed the GitHub App on. I would assume that installing the GitHub App on an org would be equivalent to authorizing an OAuth app to be used on that org.
Thanks for any insight.