GitHub App's user token can't list private repositories

[riywo]

Select Topic Area

Question

Body

I created a GitHub App (not OAuth App) and tried this API to list all private repositories with the user's token retrieved by OAuth web flow. However, it returned empty.

Once I installed the GitHub App to one of my private repositories, the repository was returned but that's all. I couldn't see any other private repositories.

Is there any way to list all private repositories which the authenticated user has access?

Note: I added "Read-only" permission for content to the GitHub App.

Note: I can't see the section like below in the GitHub App's settings.

You can select user-level permissions from within your GitHub App's settings in the User permissions section of the Permissions & webhooks page.
https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/identifying-and-authorizing-users-for-github-apps#user-level-permissions

[boutell]

I have the same issue, it's driving me bananas.

I have an access token and I'm sending it (the /user/repos endpoint wouldn't work at all if I wasn't). I only get public repos back, no matter what I do.

I gave the github app the following permissions, because I also want it to create and manage repositories:

Repository Permissions: Administration (read-write), Contents (read-write), Metadata (read-only)

Organization Permissions: Members (read-only)

What am I missing?

[RrNn]

Did anyone find a solution or the docs that point on how to list a users private repos?
Its been driving me nuts for a while now

[amber-beasley-liatrio]

Using GraphQL works but using api does not work for getting any private repos (org or user)

[god-s-perfect-idiot]

Please do lmk if u find a fix for this. :(

[rarild]

I finally found a solution! 😅 As mentioned here:

In order to view and access private repos, the Github App needs to be installed on the user's account.

I went into my Developer settings, clicked the Github app > Install App
After installing the app I would finally get the private repos in addition to the public ones in the response from /user/repos

[ninjadev64]

Thank you! I was using the https://github.com/login/oauth/authorize endpoint to obtain an access token and had no idea that it needed to be seperately installed as well.

[Frajdi]

Yeah it worked for me too but does this mean each user has to install the app in their account , isn't there a way to make the users achieve this without leaving my app for example?

[Angus-Moore-Dev]

+1

[untamed-theory]

I still don't have this one resolved either. Glad to see others with the same problem. I have the app installed and have used the APP ID, Installation ID, and certificate to generate authentication with the app.

These still only list the public repositories. Even when providing the type=all parameter.

Any help appreciated. May have to resort to the GraphQL call since that seems to work for folks.

[ninjadev64]

What URL are you using for the login flow? i.e. the GitHub page where they're prompted to authorise the app

[untamed-theory]

I had tried multiple actually. /user/repos as well as /user/<username>/repos. I have used both third-party libraries which make the call, as well as writing the HTTP request manually. Wondering if the endpoint itself is busted.

Yesterday I resorted to GraphQL which was able to process the same token with success. So that's the path forward I took. Thanks!

[motdotla]

graphql was also able to do this correctly for me BUT then pagination becomes an issue. i can't send a user directly to page 3 for example. forced to iterate through everything to grab the cursor. if anyone has solved this let me know. i attempted base64 encoding of "cursor:30" but apparently that does not work with the repos query for graphql.

[motdotla]

I have run into this issue at the GitHub app level as well - when using the installation access token and corresponding installation client.

[leandrocmaia]

I am also having the same issue.
I haven't tried installing the app as well on the user account, which for me defeats the whole concept of installation access token. I need the private repos coming from the installation access token.

Not sure whatelse to do.

[untamed-theory]

Hey @leandrocmaia , I agree that it defeats the purpose of the installation access token. The solution mentioned above does not actually work for me either. I believe it is actually a problem with the GitHub API itself, not even this library. If I issue the same request via CURL and use an installation token I get the same failure.

For me, I resolved by completely switching to the GraphQL API. I know that isn't the best answer, but it is what I did. I used this library. https://github.com/shurcooL/githubv4

[nunesbeto]

@untamed-theory switching to the GraphQL API also solved for me.. best solution (maybe only) at the moment

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[motdotla]

please fix this GitHub team. it put quite a damper on me wanting to build GitHub Marketplace Add-ons.

[amber-beasley-liatrio]

I believe I am experiencing the same.

The app is installed to my org with read contents and read metadata on all repositories in the org.

I use the private key to generate an installation access token.

Both python Github client and curl command using the token show no results for private repos.

[amber-beasley-liatrio]

There seems to be a related issue: https://github.com/orgs/community/discussions/113651

[leslie-corbalt]

My App installation token has the required permissions.
My code can list all the private repos in the org, but not the internal repos.
No one in this thread has mentioned internal repos. Is that an issue for you?
https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#list-organization-repositories
The docs don't show internal as a value for type, but it is a valid value.

[jamesbellnet]

I had this same issue, realised (as mentioned in the chosen answer) that the app needs to be installed as well as authorised. In my case, to redirect users to an install & authorise page instead of just the authorise page this was as simple as changing the URL that I was redirecting users to to authenticate with my app.

Previous URL (only listed public repositories even with repository metadata permission set): https://github.com/login/oauth/authorize?client_id=YOUR_CLIENT_ID&state=STATE

Correct URL for app install & authorise: https://github.com/apps/YOUR_APP_NAME/installations/new?client_id=YOUR_CLIENT_ID&scope=repo&state=STATE

[antarpreet11]

Quick question, this works for me on the first install of the app, after that it just goes to the github page showing the app is installed and doesn't authorize or go to callback URL.

How do you handle this?

[jamesbellnet]

Well with our implementation the button that redirects to this install page is a "Connect with GitHub" button so when you're redirected back to our application that no longer shows and instead shows as a "Disconnect GitHub" button that makes the required API requests to revoke tokens and uninstall the app.

[antarpreet11]

Thanks, if you dont mind me asking, how do you retain this state if the user logs on after some time? Or even reloads page.

[jamesbellnet]

I can't remember the flow exactly because it was a while ago when I did this, but it's something like: make a subsequent API request when you are redirected to your callback URL with the returned code and your client ID and secret to get an access token. With the returned access token you store that and can use it for requests against the GitHub API. It's documented somewhere in the API docs 👍🏻

[daviidsbarber]

Select Topic Area

Question

Body

I created a GitHub App (not OAuth App) and tried this API to list all private repositories with the user's token retrieved by OAuth web flow. However, it returned empty.

Once I installed the GitHub App to one of my private repositories, the repository was returned but that's all. I couldn't see any other private repositories.

Is there any way to list all private repositories which the authenticated user has access?

Note: I added "Read-only" permission for content to the GitHub App.

Note: I can't see the section like below in the GitHub App's settings.

You can select user-level permissions from within your GitHub App's settings in the User permissions section of the Permissions & webhooks page.
https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/identifying-and-authorizing-users-for-github-apps#user-level-permissions

https://github.com/orgs/community/discussions/48102#discussion-4880152

[daviidsbarber]

[kieronthomas]

For anyone still experiencing issues accessing the list of repos, this all boils down to which approach you're taking:

1. You're asking for user authorisation in which case you use a user token obtained from https://github.com/login/oauth/authorize' with the correct scopes specified to query the user repo API endpoint i.e. https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#list-repositories-for-the-authenticated-user (you will notice that the accepted token types do not include an installation token!)

2. You're installing the app via https://github.com/apps/kt-test-app/installations/new you can then create an installation token for continued API requests and using this API endpoint get a list of installed repositories https://docs.github.com/en/rest/apps/installations?apiVersion=2022-11-28#list-repositories-accessible-to-the-app-installation (the accepted token type is only an installation token)

N.B. you can use a combination of the above, but some API endpoints will not accept an installation token. The user token is primarily used so that you can attribute any changes to that user rather than your Github App bot.

I hope that helps someone.

[omarabid]

This wasted a good hour for me. I really wonder about their naming choices for the apis/endpoints

/**
         * Lists repositories that the authenticated user has explicit permission (`:read`, `:write`, or `:admin`) to access.
         *
         * The authenticated user has explicit permission to access repositories they own, repositories where they are a collaborator, and repositories that they can access through an organization membership.
         */
        listForAuthenticatedUser: {
            (params?: RestEndpointMethodTypes["repos"]["listForAuthenticatedUser"]["parameters"]): Promise<RestEndpointMethodTypes["repos"]["listForAuthenticatedUser"]["response"]>;
            defaults: RequestInterface["defaults"];
            endpoint: EndpointInterface<{
                url: string;
            }>;
        };
        /**
         * Lists repositories for the specified organization.
         *
         * > [!NOTE]
         * > In order to see the `security_and_analysis` block for a repository you must have admin permissions for the repository or be an owner or security manager for the organization that owns the repository. For more information, see "[Managing security managers in your organization](https://docs.github.com/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization)."
         */
        listForOrg: {
            (params?: RestEndpointMethodTypes["repos"]["listForOrg"]["parameters"]): Promise<RestEndpointMethodTypes["repos"]["listForOrg"]["response"]>;
            defaults: RequestInterface["defaults"];
            endpoint: EndpointInterface<{
                url: string;
            }>;
        };
        /**
         * Lists public repositories for the specified user.
         */
        listForUser: {
            (params?: RestEndpointMethodTypes["repos"]["listForUser"]["parameters"]): Promise<RestEndpointMethodTypes["repos"]["listForUser"]["response"]>;
            defaults: RequestInterface["defaults"];
            endpoint: EndpointInterface<{
                url: string;
            }>;
        };

[leslie-corbalt]

From GitHub Support:

That is indeed a bug that Engineering has on their backlog to fix. The behavior is documented but you have to switch to the enterprise cloud version of the Docs as below:

https://docs.github.com/en/enterprise-cloud@latest/rest/repos/repos?apiVersion=2022-11-28#list-organization-repositories