GitHub Community
Github App Allow List #178332
Replies: 3 comments
-
|
Yes, this behavior is expected. GitHub’s documentation confirms that App-managed IP allow lists only apply to requests made with installation access tokens, not to OAuth user tokens. In your case, when a user logs in through OAuth and the backend uses that user token to access organization repositories, GitHub treats it as a user-to-server request, which is still subject to the organization-level IP allow list. In other words, even if your backend IP is already listed under “Managed by [AppName],” the request will be blocked (403 Forbidden) unless the same IP is also added to the organization’s own allow list. Reference: GitHub Docs – Managing allowed IP addresses for your organization So yes, GitHub enforces the organization IP allow list for OAuth-token requests, and the App’s allow list only affects installation tokens. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @ronitmartin for clarification :) |
Beta Was this translation helpful? Give feedback.
-
|
Yes it is enforced for OAuth. Yes it is documented. The app list is for installation traffic only. You can use an installation token or add the IP to the organization list |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Select Topic Area
Question
Body
We have a GitHub App that uses OAuth for user login and then accesses organization repositories using the OAuth token obtained during the flow.
Our setup:
The GitHub App is installed in an organization.
The organization has IP allow list enabled.
Our backend IP is added to the GitHub App-managed allow list, and we see it listed as “Managed by [AppName]”.
The user has also enabled “Enable IP allow list configuration for installed GitHub Apps”.
Issue: When we try to access a repository using the OAuth token, we receive a 403 Forbidden error — even though the request originates from our backend IP (which is in the App-managed allow list).
However, if we manually add the same backend IP to the organization-level allow list, the request succeeds.
Question: Does GitHub enforce the organization-level IP allow list for requests made with OAuth tokens, even if the IP is already allowed via the App-managed list?
If so, is there any official documentation confirming that App-managed IP allow lists only apply to installation tokens, and not OAuth tokens?
We’d appreciate any clarification or guidance from GitHub staff or others who’ve encountered this.
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions