Can I change app permissions when authorizing Github Apps?

[florianmartens]

Select Topic Area

Question

Body

I'm having trouble understanding the permission system when authorizing Github Apps (not OAuth Apps). I understand we can modify the permissions of our apps globally in their settings. These permissions, however, seem to only apply to installations of our apps.

Yet, I can retrieve an OAuth token via the ClientID my app exposes. However, the scopes feature does not seem to work for me...

Here is an example url:

https://github.com/login/oauth/authorize?response_type=code&client_id=xxx&state=xxx&redirect_uri=http%3A%2F%2Flocalhost%3A5173%2Foauth%2Fgithub%2Fredirect&scope=read%3Auser%20user%3Aemail%20read%3Aproject%20admin%3Aorg

When I check the page for my authorized apps I always see the following permissions:

Verify your GitHub identity
Know what resources you can access
Act on your behalf
View your email addresses

The authorization screen also looks unchanged in that it always shows email as the only requested resource. There is no mention of the extra scopes I requested.

What is going on here? Am I doing something wrong?

[florianmartens]

push

[ThisIs-Developer]

hey @florianmartens,

github apps use fine-grained permissions that are defined during installation. unfortunately, you can't modify those permissions dynamically when authorizing users. oauth tokens and scopes behave differently from github apps, and scopes won’t override the app’s global permission settings. make sure you're not mixing up oauth app scopes and github app permissions during setup

https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps
https://github.com/github/docs/blob/main/content/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps.md

hope that helps! feel free to mark it as an answer if useful! 😄