ed5a109e48
* Empty commit * updated beta note for GHAE * more GHAE update + resolve conflict * more GHAE updates + prepare for screenshots * Apply suggestions from code review Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com> * address remaining review comments * Revise "About GitHub AE" (#17679) * add screenshots to the Configuring article * reworked to have a separate GHAE section * list numbering * more work on screenshots and conditions * add GHAE screenshots in article * review screenshots in article * added more screenshots and updated more articles * screenshot madness * fix liquid versioning * refactor the ghae script * [GHAE CB/Feb 22]: Add article about data residency for GitHub AE (#17847) * add missing GHAE versioning to article * move screenshots to GHAE asset directory * forgot to change the path for these two images * replace CBB screenshot + add better screenshot * [GHAE CB/Feb 22]: Document upgrades for GitHub AE (#17848) * Version article for GitHub AE * Replace unused variable * Incorporate reviewer feedback * Update intro Co-authored-by: Ethan P <56270045+ethanpalm@users.noreply.github.com> * [GHAE] Enable IP allow list (#17691) * Notes for CC * Updat permission leves chart * Add updated article to further reading * Update gated feature callout with GitHub AE * Version "Managing allowed IP addresses for your organization" for AE * Update images * Update "Restricting network traffic to your enterprise" with new procedures * remove todo note * Update audited actions * Update info about Premium Runners * Use reusable for Premium Runners * Change "Premium Runners" to "AE hosted runners" * Incorporate reviewer feedback * Use correct reusable * Version reusable correctly * [Feb 22] GHAE: Code scanning beta (#17830) * Add "github-ae" to all the frontmatter * GHAE-ify the reusables * Add some more changes * Re-use some content * 🔪 Semmle links * Revert change re "--external-repository-token" in the CodeQL runner * Update CodeQL runner token scopes * Update two screenshots * Remove mention of GitHub.com from AE + other fixes * Apply suggestions from code review Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> * Use `product_name` variable instead of `product_location` * Remove confusing phrase * [Feb 22] GHAE: Code scanning API and webhook docs (#17883) * Version API and webhook docs * Actually add versioning for GHAE * Fix anchor * [TEMPORARY] Preview for API endpoints * Revert API previews * Update procedure step Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> * Update docs for AzureAD Group SCIM support in GHAE (#17892) * Version out reference to public Pages site for GHAE * [GHAE CB] SMTP bootstrapping flow (#17888) * draft * update with AE conntent * update with tons of versioning * remove that lie * fill out the rest of these steps * update with correct versioning * more edits * add images * reversion most of ae article * fix versioning * format correctlly * words matter * last image * update with permmissions * update versioning * add link * apply feedback ❤️ * update with differrent spacing * update with feedback * more feedback * Temporary GHAE release notes for consumables beta launch (#17859) * Create release-notes.md * Add frontmatter * Add to index file * Update github-ae-release-notes.md * Add release notes from Google Doc * Update finalized docs links that have been reviewed * OAuth device flow link update * version for AE * few fixes * Update content/admin/overview/github-ae-release-notes.md * small edits * whoops * commit * update with different links * used wrong reusable * fix more brokenness * Update repository-references.js * Update repository-references.js Co-authored-by: Meg Bird <megbird@github.com> Co-authored-by: Kevin Heis <heiskr@users.noreply.github.com> * [GHAE] Audit public repos (#17917) * verifying what we mean by public * Apply suggestions from code review * Update content/developers/apps/installing-github-apps.md Co-authored-by: Laura Coursen <lecoursen@github.com> * fixing placememnt of liquid conditional Co-authored-by: Laura Coursen <lecoursen@github.com> * GHAE packages beta (#17786) Co-authored-by: jmarlena <6732600+jmarlena@users.noreply.github.com> Co-authored-by: Martin Lopes <martin389@github.com> * Batch #1 of changes * Batch #2 * getting started article update * Update GraphQL article * Only public repository reference * Just update the link * Update endpoint title to use "internal" * fix build error * placeholder update for updating `public_repo` scope in UI * Remove unncessary versioning for now * fix broken links * Add REST API files * Remove versioning since the endpoint "title" didn't get updated * Version out the no scope option * Evergreen rewrite Co-Authored-By: Aaron Harpole <507570+aharpole@users.noreply.github.com> * Add back public key * Apply suggestions from code review Co-authored-by: Alex Slepak <ams11@github.com> Co-authored-by: Aaron Harpole <aharpole@github.com> * Remove versioning and add evergreen rewrite * Just the way it was before * fix confusing legacy bit * Apply suggestions from code review Co-authored-by: Alex Slepak <ams11@github.com> * Apply suggestions from code review Co-authored-by: Sarah Edwards <skedwards88@github.com> * Movin' on up * no versioning needed * internal gists exist! * Doesn't need versioning * Keep this as-is * Remove screenshots 💥 * Apply suggestions from code review Co-authored-by: Sarah Edwards <skedwards88@github.com> * Never updated REST API docs with different endpoint name * No versioning needed * Merge conflict fix: Updated this article from main branch * Apply suggestions from code review * Revert "Add REST API files" This reverts commit 1a8ad0adca47daaa1bf9d1b3642c4ec073564996. * checkout changes from main * Update OpenAPI Descriptions (#18103) Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com> Co-authored-by: Ethan Palm <56270045+ethanpalm@users.noreply.github.com> Co-authored-by: mchammer01 <42146119+mchammer01@users.noreply.github.com> Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com> Co-authored-by: shati-patel <shati-patel@github.com> Co-authored-by: Sarah Schneider <sarahs@github.com> Co-authored-by: skedwards88 <skedwards88@github.com> Co-authored-by: Sarah Schneider <sarahs@users.noreply.github.com> Co-authored-by: Melanie Yarbrough <11952755+myarb@users.noreply.github.com> Co-authored-by: Felicity Chapman <felicitymay@github.com> Co-authored-by: Laura Coursen <lecoursen@github.com> Co-authored-by: Meg Bird <megbird@github.com> Co-authored-by: Kevin Heis <heiskr@users.noreply.github.com> Co-authored-by: Leona B. Campbell <3880403+runleonarun@users.noreply.github.com> Co-authored-by: Martin Lopes <martin389@github.com> Co-authored-by: Aaron Harpole <507570+aharpole@users.noreply.github.com> Co-authored-by: Alex Slepak <ams11@github.com> Co-authored-by: Aaron Harpole <aharpole@github.com> Co-authored-by: github-openapi-bot <69533958+github-openapi-bot@users.noreply.github.com>
10 KiB
title, intro, redirect_from, versions
| title | intro | redirect_from | versions | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Scopes for OAuth Apps | {% data reusables.shortdesc.understanding_scopes_for_oauth_apps %} |
|
|
When setting up an OAuth App on GitHub, requested scopes are displayed to the user on the authorization form.
{% note %}
Note: If you're building a GitHub App, you don’t need to provide scopes in your authorization request. For more on this, see "Identifying and authorizing users for GitHub Apps."
{% endnote %}
{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@2.21" or currentVersion == "github-ae@latest" %} If your {% data variables.product.prodname_oauth_app %} doesn't have access to a browser, such as a CLI tool, then you don't need to specify a scope for users to authenticate to your app. For more information, see "Authorizing OAuth apps." {% endif %}
Check headers to see what OAuth scopes you have, and what the API action accepts:
$ curl -H "Authorization: token OAUTH-TOKEN" {% data variables.product.api_url_pre %}/users/codertocat -I
HTTP/1.1 200 OK
X-OAuth-Scopes: repo, user
X-Accepted-OAuth-Scopes: user
X-OAuth-Scopeslists the scopes your token has authorized.X-Accepted-OAuth-Scopeslists the scopes that the action checks for.
Available scopes
Name | Description
-----|-----------|{% if currentVersion != "github-ae@latest" %}
(no scope) | Grants read-only access to public information (including user profile info, repository info, and gists){% endif %}{% if enterpriseServerVersions contains currentVersion or currentVersion == "github-ae@latest" %}
site_admin | Grants site administrators access to {% data variables.product.prodname_ghe_server %} Administration API endpoints.{% endif %}
repo | Grants full access to repositories, including private repositories. That includes read/write access to code, commit statuses, repository and organization projects, invitations, collaborators, adding team memberships, deployment statuses, and repository webhooks for repositories and organizations. Also grants ability to manage user projects.
repo:status| Grants read/write access to {% if currentVersion != "github-ae@latest" %}public{% else %}internal{% endif %} and private repository commit statuses. This scope is only necessary to grant other users or services access to private repository commit statuses without granting access to the code.
repo_deployment| Grants access to deployment statuses for {% if currentVersion != "github-ae@latest" %}public{% else %}internal{% endif %} and private repositories. This scope is only necessary to grant other users or services access to deployment statuses, without granting access to the code.{% if currentVersion != "github-ae@latest" %}
public_repo| Limits access to public repositories. That includes read/write access to code, commit statuses, repository projects, collaborators, and deployment statuses for public repositories and organizations. Also required for starring public repositories.{% endif %}
repo:invite | Grants accept/decline abilities for invitations to collaborate on a repository. This scope is only necessary to grant other users or services access to invites without granting access to the code.{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.0" %}
security_events | Grants:
read and write access to security events in the {% data variables.product.prodname_code_scanning %} API
read and write access to security events in the {% data variables.product.prodname_secret_scanning %} API
This scope is only necessary to grant other users or services access to security events without granting access to the code.{% endif %}{% if currentVersion ver_gt "enterprise-server@2.21" and currentVersion ver_lt "enterprise-server@3.1" %}
security_events | Grants read and write access to security events in the {% data variables.product.prodname_code_scanning %} API. This scope is only necessary to grant other users or services access to security events without granting access to the code.{% endif %}
admin:repo_hook | Grants read, write, ping, and delete access to repository hooks in {% if currentVersion != "github-ae@latest" %}public{% else %}internal{% endif %} and private repositories. The repo {% if currentVersion != "github-ae@latest" %}and public_repo scopes grant{% else %}scope grants{% endif %} full access to repositories, including repository hooks. Use the admin:repo_hook scope to limit access to only repository hooks.
write:repo_hook | Grants read, write, and ping access to hooks in {% if currentVersion != "github-ae@latest" %}public{% else %}internal{% endif %} or private repositories.
read:repo_hook| Grants read and ping access to hooks in {% if currentVersion != "github-ae@latest" %}public{% else %}internal{% endif %} or private repositories.
admin:org | Fully manage the organization and its teams, projects, and memberships.
write:org| Read and write access to organization membership, organization projects, and team membership.
read:org| Read-only access to organization membership, organization projects, and team membership.
admin:public_key | Fully manage public keys.
write:public_key| Create, list, and view details for public keys.
read:public_key| List and view details for public keys.
admin:org_hook | Grants read, write, ping, and delete access to organization hooks. Note: OAuth tokens will only be able to perform these actions on organization hooks which were created by the OAuth App. Personal access tokens will only be able to perform these actions on organization hooks created by a user.
gist | Grants write access to gists.
notifications | Grants:
* read access to a user's notifications
* mark as read access to threads
* watch and unwatch access to a repository, and
* read, write, and delete access to thread subscriptions.
user | Grants read/write access to profile info only. Note that this scope includes user:email and user:follow.
read:user| Grants access to read a user's profile data.
user:email| Grants read access to a user's email addresses.
user:follow| Grants access to follow or unfollow other users.
delete_repo | Grants access to delete adminable repositories.
write:discussion | Allows read and write access for team discussions.
read:discussion | Allows read access for team discussions.{% if currentVersion == "free-pro-team@latest" or currentVersion == "github-ae@latest" %}
write:packages | Grants access to upload or publish a package in {% data variables.product.prodname_registry %}. For more information, see "Publishing a package".
read:packages | Grants access to download or install packages from {% data variables.product.prodname_registry %}. For more information, see "Installing a package".
delete:packages | Grants access to delete packages from {% data variables.product.prodname_registry %}. For more information, see "{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.0" %}Deleting and restoring a package{% elsif currentVersion ver_lt "enterprise-server@3.1" or currentVersion == "github-ae@latest" %}Deleting a package{% endif %}."{% endif %}
admin:gpg_key | Fully manage GPG keys.
write:gpg_key| Create, list, and view details for GPG keys.
read:gpg_key| List and view details for GPG keys.{% if currentVersion == "free-pro-team@latest" %}
workflow | Grants the ability to add and update {% data variables.product.prodname_actions %} workflow files. Workflow files can be committed without this scope if the same file (with both the same path and contents) exists on another branch in the same repository. Workflow files can expose GITHUB_TOKEN which may have a different set of scopes, see https://docs.github.com/en/free-pro-team@latest/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token for details.{% endif %}
{% note %}
Note: Your OAuth App can request the scopes in the initial redirection. You
can specify multiple scopes by separating them with a space using %20:
https://github.com/login/oauth/authorize?
client_id=...&
scope=user%20repo_deployment
{% endnote %}
Requested scopes and granted scopes
The scope attribute lists scopes attached to the token that were granted by
the user. Normally, these scopes will be identical to what you requested.
However, users can edit their scopes, effectively
granting your application less access than you originally requested. Also, users
can edit token scopes after the OAuth flow is completed.
You should be aware of this possibility and adjust your application's behavior
accordingly.
It's important to handle error cases where a user chooses to grant you less access than you originally requested. For example, applications can warn or otherwise communicate with their users that they will see reduced functionality or be unable to perform some actions.
Also, applications can always send users back through the flow again to get additional permission, but don’t forget that users can always say no.
Check out the Basics of Authentication guide, which provides tips on handling modifiable token scopes.
Normalized scopes
When requesting multiple scopes, the token is saved with a normalized list
of scopes, discarding those that are implicitly included by another requested
scope. For example, requesting user,gist,user:email will result in a
token with user and gist scopes only since the access granted with
user:email scope is included in the user scope.