How to access a private repository using a GitHub App with OAuth?

Question

My goal is to be able to list and access private repositories of a user.

For this, I've set up a GitHub App to perform some tasks as an app. I have also enabled the OAuth capability of my app. I want to make clear that this is a GitHub App with OAuth capabilities, not an OAuth App itself.

In the registered callback, I obtain an installation_id that allows me to execute actions on behalf of the app. Additionally, I receive a code which I then exchange for a valid authorization key to execute actions on behalf of the user.

Despite my attempts to request all repositories using either the installation ID or the authorization code, I'm only able to access public repositories. It appears that private repositories can only be accessed through a Personal Access Token (PAT) or, maybe a dedicated OAuth App. Am I missing something?

Answer 1

Listing accessible repos as an app is a two step process:

1. Get an Installation Access Token from https://api.github.com/app/installations/{installation_id}/access_tokens, authenticating as the App (Bearer authorization, and a JWT signed by the App Private Key. The Installation Access Token expires 1 hour after issuance.

2. Use the Installation Access Token as Bearer authorization token to query one of the available API endpoints, such as /installation/repositories

You won't be able to list the user's private repositories, but only those he granted your app access to. The that list of repos may include some private repositories, but the app will not have access to private repos it was not granted access to.

You can access the repos themselves as an app for clone/fetch/etc using an url like "https://x-access-token:{intallation_access_token}@{reponame}".