GitHub Community
Github App Allow List #178332
Unanswered
gouravjblackduck
asked this question in
API and Webhooks
Github App Allow List
#178332
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Select Topic Area
Question
Body
We have a GitHub App that uses OAuth for user login and then accesses organization repositories using the OAuth token obtained during the flow.
Our setup:
The GitHub App is installed in an organization.
The organization has IP allow list enabled.
Our backend IP is added to the GitHub App-managed allow list, and we see it listed as “Managed by [AppName]”.
The user has also enabled “Enable IP allow list configuration for installed GitHub Apps”.
Issue: When we try to access a repository using the OAuth token, we receive a 403 Forbidden error — even though the request originates from our backend IP (which is in the App-managed allow list).
However, if we manually add the same backend IP to the organization-level allow list, the request succeeds.
Question: Does GitHub enforce the organization-level IP allow list for requests made with OAuth tokens, even if the IP is already allowed via the App-managed list?
If so, is there any official documentation confirming that App-managed IP allow lists only apply to installation tokens, and not OAuth tokens?
We’d appreciate any clarification or guidance from GitHub staff or others who’ve encountered this.
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions