On my first day as an intern, I accidentally forked my organization's entire codebase into my personal GitHub account! Although this rookie mistake was short-lived, it left a lasting impression on me about the vast array of features and operations GitHub offers. Now, nine years and countless merge conflicts later, I still feel that my understanding of GitHub barely scratches the surface.
Today, let’s dive into one specific corner of this vast platform: GitHub authorization. Many of you are likely familiar with the “classic” personal access tokens (PATs) that can replace passwords for authentication, and two-factor authentication (2FA) for added security. However, this post will focus on authorizing third-party apps via GitHub.
GitHub provides two main types of applications for integrating third-party services: OAuth Apps and GitHub Apps. While both methods enable external applications to interact with GitHub, their use cases and scope of permissions are quite different.
OAuth Apps
OAuth Apps are widely used when a third-party application needs access to perform actions on behalf of a user. The authorization flow is a standard OAuth 2.0 process, where users grant the app permission to access their GitHub data. Once approved, the app receives an access token to interact with the GitHub API on the user's behalf.
OAuth Authorization Flow:
Key Benefits of OAuth Apps:
Drawbacks of OAuth Apps:
While OAuth Apps are a convenient way to get started with GitHub integration, it is a security concern that it has access to all repositories the user has permission to view, without any granular control. This means a user cannot restrict the app to only a few repositories.
GitHub Apps
GitHub Apps, on the other hand, offer a more fine-tuned and flexible way to integrate with GitHub. These apps can either act on behalf of a user or operate independently. The granularity of permissions and event-driven functionality make GitHub Apps a preferred choice for building more complex integrations, especially for organizations.
GitHub App Authorization Flow:
Key Benefits of GitHub Apps:
The short answer is Github Apps since Github recommends it. GitHub Apps are perfect for complex integrations, such as those used in enterprise environments, where security, fine-grained control, and webhook support are crucial. GitHub Apps also offer better token management, short-lived tokens, and rate-limiting advantages, making them the go-to choice for modern GitHub integrations.
However, the support for GitHub Apps does not extend to all API endpoints. You will have to refer to the API documentation to ensure that the endpoint is accessible by GitHub App installation access tokens. Of course, you may have to use an intelligent combination of both if it suits your requirements best.
At GoCodeo, we understand the importance of code security and strive to achieve a balance between ease of access and privacy. When users log in, we employ OAuth apps to access their basic profile information and public repositories, enabling us to prepare their public repos for testing without delay. However, for private and organization repositories, we take a more secure approach by requiring explicit authorization through a GitHub App. This gives users complete control over which repos they want to test, allowing them to select specific repositories during installation. This dual approach ensures both flexibility and protection, while also benefiting from GitHub Apps' real-time webhook support and dynamic rate limits for efficient scaling.
We hope the lessons we learned from GitHub Authorization and Access Management were useful to you. Let us know if you have any questions in the comments and we’ll be happy to clarify them.