OAuth App cannot access scope user:email

[lukehinds]

Select Topic Area

Question

Body

A user logins via github, which consists of my app posting to https://github.com/login/oauth/access_token with the scope of scope=user:email (alongside the client_id and the client_secret and oauth2 code

I then get returned a oauth2 style token: gho_xyz...

But I don't have the needed scope granted. I can see this in the response from GitHubs API.

{access_token: 'gho_xyz..', token_type: 'bearer', scope: ''}

I then post to the https://api.github.com/user/emails with the token as the authentication bearer and the result is:

response.status: 404
{
  message: 'Not Found',
  documentation_url: 'https://docs.github.com/rest/reference/users#list-email-addresses-for-the-authenticated-user'
}

I have verified it is not my code, by using the exact same code, but to post to https://api.github.com/user instead which returns information correctly.

One thing I have noted from following the docs here

The result shows only repo as a oauth scope (I got this running curl with an active oauth2 token):

x-oauth-scopes: admin:enterprise, admin:gpg_key, admin:org, admin:org_hook, admin:public_key, admin:repo_hook, admin:ssh_signing_key, audit_log, codespace, delete:packages, delete_repo, gist, notifications, project, repo, user, workflow, write:discussion, write:packages
x-accepted-oauth-scopes: repo

If I hard code a PAT token an email is returned, so it seems to be a permissions thing.

I thought maybe the scope needed to reflect permissions in the UI set up screen, but unlike a GitHub app, there are no fine grained access controls.

Any ideas?

[jge162]

good day @lukehinds to retrieve the email addresses, you need to have at least the "user" scope granted. Also worth checking the repository or organization's permission settings on GitHub to ensure that the necessary permissions are set. If you don't have the necessary scope granted, you won't be able to retrieve the email addresses even if you have a valid OAuth token.

[lukehinds]

@jge162 I know i need the scope granted, but how do I grant the scope? - where would I do that?

[jge162]

is this what your code looked like? its not complete on top so cant tell if you did like this...

https://github.com/login/oauth/authorize?client_id=your_client_id&scope=user:email&state=random_state_string

[lukehinds]

Yes, that's exactly it.