GitHub Community
Github App Allow List #178332
-
Select Topic AreaQuestion BodyWe have a GitHub App that uses OAuth for user login and then accesses organization repositories using the OAuth token obtained during the flow. Our setup: The GitHub App is installed in an organization. The organization has IP allow list enabled. Our backend IP is added to the GitHub App-managed allow list, and we see it listed as “Managed by [AppName]”. The user has also enabled “Enable IP allow list configuration for installed GitHub Apps”. Issue: When we try to access a repository using the OAuth token, we receive a 403 Forbidden error — even though the request originates from our backend IP (which is in the App-managed allow list). However, if we manually add the same backend IP to the organization-level allow list, the request succeeds. Question: Does GitHub enforce the organization-level IP allow list for requests made with OAuth tokens, even if the IP is already allowed via the App-managed list? If so, is there any official documentation confirming that App-managed IP allow lists only apply to installation tokens, and not OAuth tokens? We’d appreciate any clarification or guidance from GitHub staff or others who’ve encountered this. Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments
-
|
Yes, this behavior is expected. GitHub’s documentation confirms that App-managed IP allow lists only apply to requests made with installation access tokens, not to OAuth user tokens. In your case, when a user logs in through OAuth and the backend uses that user token to access organization repositories, GitHub treats it as a user-to-server request, which is still subject to the organization-level IP allow list. In other words, even if your backend IP is already listed under “Managed by [AppName],” the request will be blocked (403 Forbidden) unless the same IP is also added to the organization’s own allow list. Reference: GitHub Docs – Managing allowed IP addresses for your organization So yes, GitHub enforces the organization IP allow list for OAuth-token requests, and the App’s allow list only affects installation tokens. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @ronitmartin for clarification :) |
Beta Was this translation helpful? Give feedback.
-
|
Yes it is enforced for OAuth. Yes it is documented. The app list is for installation traffic only. You can use an installation token or add the IP to the organization list |
Beta Was this translation helpful? Give feedback.
-
|
🕒 Discussion Activity Reminder 🕒 This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions: 1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as 2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own. 3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution. Note: This dormant notification will only apply to Discussions with the Thank you for helping bring this Discussion to a resolution! 💬 |
Beta Was this translation helpful? Give feedback.
🕒 Discussion Activity Reminder 🕒
This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:
1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as
out of dateat the bottom of the page.2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.
3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.
Note: This dormant notification will only apply to Discussions with the
Questionlabel. To learn more, see our recent announcement.T…