Skip to main content

About OAuth App access restrictions

Organizations can choose which OAuth Apps have access to their repositories and other resources by enabling OAuth App access restrictions.

About OAuth App access restrictions

当 OAuth App 访问限制启用后,组织成员和外部协作者无法授权 OAuth App 访问组织资源。 组织成员可以申请所有者批准他们想使用的 OAuth Apps,并且组织所有者会收到待处理申请的通知。

作为组织所有者,可以选择是否允许外部协作者请求访问未经审批的 OAuth Apps 和 GitHub Apps。 有关详细信息,请参阅“限制 OAuth 应用和 GitHub 应用访问请求。”

创建新组织时,默认启用 OAuth App 访问限制。 组织所有者可以随时禁用 OAuth App 访问限制

Tip: When an organization has not set up OAuth App access restrictions, any OAuth App authorized by an organization member can also access the organization's private resources.

Setting up OAuth App access restrictions

When an organization owner sets up OAuth App access restrictions for the first time:

  • Applications that are owned by the organization are automatically given access to the organization's resources.
  • OAuth Apps immediately lose access to the organization's resources.
  • SSH keys created before February 2014 immediately lose access to the organization's resources (this includes user and deploy keys).
  • SSH keys created by OAuth Apps during or after February 2014 immediately lose access to the organization's resources.
  • Hook deliveries from private organization repositories will no longer be sent to unapproved OAuth Apps.
  • API access to private organization resources is not available for unapproved OAuth Apps. In addition, there are no privileged create, update, or delete actions on public organization resources.
  • Hooks created by users and hooks created before May 2014 will not be affected.
  • Private forks of organization-owned repositories are subject to the organization's access restrictions.

Resolving SSH access failures

When an SSH key created before February 2014 loses access to an organization with OAuth App access restrictions enabled, subsequent SSH access attempts will fail. Users will encounter an error message directing them to a URL where they can approve the key or upload a trusted key in its place.

Webhooks

When an OAuth App is granted access to the organization after restrictions are enabled, any pre-existing webhooks created by that OAuth App will resume dispatching.

When an organization removes access from a previously-approved OAuth App, any pre-existing webhooks created by that application will no longer be dispatched (these hooks will be disabled, but not deleted).

Re-enabling access restrictions

If an organization disables OAuth App access application restrictions, and later re-enables them, previously approved OAuth App are automatically granted access to the organization's resources.

Further reading