Technical Brief: Why We Use GitHub Apps Over OAuth
We use the GitHub App framework (the industry-standard recommended by GitHub and Gearset) because it offers a stronger security architecture than traditional OAuth. Unlike OAuth, which grants broad, persistent "act-as-user" permissions, GitHub Apps use fine-grained permissions and short-lived tokens (expiring every hour) to ensure the Principle of Least Privilege. Furthermore, GitHub Apps allow for repository-level scoping, ensuring the tool can only access specific authorized repositories rather than a user’s entire GitHub account.
Platform Documentation & Recommendations
GitHub Official: GitHub Apps are the recommended way to integrate. Examples of other products:
Gearset: Recommends its GitHub App to eliminate broad OAuth scopes. They have an alternative OAuth-based connection method, but do not recommend it.
Copado: Utilizes an OAuth2-based approach non-specific to GitHub to secure credentials within backend secrets stored in Copado systems.
Security Feature
GitHub App (Recommended)
OAuth App (Alternative)
Permission Granularity
Fine-grained: Separate "Read" vs "Write" for code, PRs, and metadata.
Broad Scopes: repo scope grants full control over all code and settings.
Credential Lifetime
1 Hour: Tokens are temporary and auto-rotated.
Indefinite: Tokens live forever until manually deleted.
Access Control
Repository-level: You choose exactly which repos are visible.
Account-level: Accesses everything the user can see.
Traceability
Bot-Specific: Actions are clearly marked as the integration (co-authored with the user).
User-Impersonation: Actions appear as if the user performed them.
Service Stability
Independent: Works even if the setup user leaves the company.
User-Dependent: Breaks if the authorizing user’s account is deactivated.
Last updated