Possible to get information about a private GitHub App when authenticated as another private GitHub App?

[jooooel]

Select Topic Area

Question

Body

I'm trying to get information about a private GitHub App (app-1), while authenticated as another GitHub App (app-2). They are both private apps within my organization.

This is the endpoint I'm using. It says "Works with GitHub Apps", so I'm assuming it should work?

I've generated an access token for app-2 using a private key and the app id, as described here.

Then I generated an App Installation Token using curl:

curl --request POST \
--url "https://api.github.com/app/installations/INSTALLATION_ID/access_tokens" \
--header "Accept: application/vnd.github+json" \
--header "Authorization: Bearer JWT" \
--header "X-GitHub-Api-Version: 2022-11-28"

Then I'm using the resulting token from that call to make another call:

curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/apps/app-1

I'm getting a 403 Forbidden response with the following body:

{
    "message": "Resource not accessible by integration",
    "documentation_url": "https://docs.github.com/rest/apps/apps#get-an-app"
}

Isn't this supposed to work? If I change the slug name to the authenticated app (app-2) then the request succeeds.

Cross-post from https://stackoverflow.com/questions/77415156/get-information-about-a-private-github-app-while-authenticated-as-another-github

[b8zeek]

The GitHub API documentation says that you can get authenticated GitHub App information via the endpoint you're using. The point here is "authenticated GitHub App". I would say that this means that you can only retrieve information about the GitHub App that the current token is authenticated as.

If I understood your case, you're authenticating as app-2 and trying to get information about app-1. That is not allowed and is the reason for the "Resource not accessible by integration" error message. You're only allowed to get information about app-2 because that's the app you're authenticated as.

If you need to the information about app-1, you would need to authenticate as app-1.

Hope this clarifies it. 🍺

🍀

[jooooel]

Well that's the thing that confuses me a bit. There is another endpoint called "Get the authenticated app" that sounds like what you are referring to: https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-the-authenticated-app.

So I would assume the endpoint I'm referring to (https://docs.github.com/en/rest/apps/apps?apiVersion=2022-11-28#get-an-app) would actually be able to get information about another app, or why would it exist?

[b8zeek]

There's a difference...

The endpoint "Get an App" is used to get the PUBLIC information about a GitHub App. This endpoint does not require authentication if you provide the app's slug in the request URL.

The endpoint "Get the authenticated app" is used to get the information about the authenticated GitHub App. This endpoint requires the JWT that the GitHub App uses to authenticate.

🍀

[jooooel]

I suspect that you are right, but I think the wording in the documentation is a bit unclear if that's the case...

"Get the authenticated app" is crystal clear, no confusion there.

"Get an App" is confusing though 😅:

• "If the GitHub App you specify is public, you can access this endpoint without authenticating". That's fine, I understand that, and it's a separate use case from "Get the authenticated app" endpoint.
• "If the GitHub App you specify is private, you must authenticate...". This makes sense when using a personal access token. That way I can get any app I have access to with my personal token. However, why would I ever use this endpoint when getting information about a private app and authenticating as an app installation? In that case I might as well use the other endpoint. I think this is what confuses me, and led me to believe that it would be possible to get all private apps, as long as the app used for authentication has broad enough access within the org.

I was looking to improve the docs by clarifying that you can only get information about the authenticated app itselfs (if that's how it really works), but I guess these part of the docs are auto generated from somewhere else? 🤔 https://github.com/github/docs/blob/main/content/rest/apps/apps.md

[b8zeek]

I am going through my notifications, I see that I didn't reply... Sorry. Were you able to find the solution for your use case?

🍀

[jooooel]

No worries 😊 Ended up using a PAT from my account, with a big comment about it having to be replaced when I quit/it expires 😅

[b8zeek]

Cool buddy. Best of luck. ☺️

🍀

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬