Third-party applications that need to verify your GitHub identity, or interact with the data on GitHub on your behalf, can ask you to authorize the GitHub 应用程序 to do so.
When authorizing the GitHub 应用程序, you should ensure you trust the application, review who it's developed by, and review the kinds of information the application wants to access.
During authorization, you'll be prompted to grant the GitHub 应用程序 permission to:
- Verify your GitHub identity
When authorized, the GitHub 应用程序 will be able to programmatically retrieve your public GitHub profile, as well as some private details (such as your email address), depending on the level of access requested. - Know which resources you can access
When authorized, the GitHub 应用程序 will be able to programmatically read the private GitHub resources that you can access (such as private GitHub repositories) where an installation of the GitHub 应用程序 is also present. The application may use this, for example, so that it can show you an appropriate list of repositories. - Act on your behalf
The application may need to perform tasks on GitHub, as you. This might include creating an issue, or commenting on a pull request. This ability to act on your behalf is limited to the GitHub resources where both you and the GitHub 应用程序 have access. In some cases, however, the application may never make any changes on your behalf.
When does a GitHub 应用程序 act on your behalf?
The situations in which a GitHub 应用程序 acts on your behalf vary according to the purpose of the GitHub 应用程序 and the context in which it is being used.
For example, an integrated development environment (IDE) may use a GitHub 应用程序 to interact on your behalf in order to push changes you have authored through the IDE back to repositories on GitHub. The GitHub 应用程序 will achieve this through a user-to-server request.
When a GitHub 应用程序 acts on your behalf in this way, this is identified on GitHub via a special icon that shows a small avatar for the GitHub 应用程序 overlaid onto your own avatar, similar to the one shown below.
To what extent can a GitHub 应用程序 know which resources you can access and act on your behalf?
The extent to which a GitHub 应用程序 can know which resources you can access and act on your behalf, after you have authorized it, is limited by:
- The organizations or repositories on which the app is installed
- The permissions the app has requested
- Your access to GitHub resources
Let's use an example to explain this.
GitHub user Alice logs into a third-party web application, ExampleApp, using their GitHub identity. During this process, Alice authorizes ExampleApp to perform actions on their behalf.
However, the activity ExampleApp is able to perform on Alice's behalf in GitHub is constrained by: the repositories on which ExampleApp is installed, the permissions ExampleApp has requested, and Alice's access to GitHub resources.
This means that, in order for ExampleApp to create an issue on Alice's behalf, in a repository called Repo A, all of the following must be true:
- ExampleApp's GitHub 应用程序 requests write access to issues.
- A user having admin access for Repo A must have installed ExampleApp's GitHub 应用程序 on Repo A.
- Alice must have read permission for Repo A. For information about which permissions are required to perform various activities, see "Repository permission levels for an organization."