How to customize the redirect URL when registering a Github App?

[pieterbreed]

Select Topic Area

Question

Body

I have a registered Github App and in our app we request that users install the app to their account. We do so by presenting our users with a link to github.com/apps/<our-app-name>/installations/new?state=<some-stuff>.

We have the setting ENABLED for Request user authorization (OAuth) during installation, so after making a choice of account, the user is presented with a page titled Install & Authorize <our-app-name> and at the bottom, below the Install & Authorize button, it has this text: Next: you'll be redirected to https://<our-prod-domain-name>/api/external/github-callback.

My question is this: how can I customize that URL during development? I depend on the parameters that URL receives to complete the authorization flow, but during development, that call goes to production and not to localhost.

[pieterbreed]

I'm not integrating with squareup, I'm trying to customize the behavour for github apps specifically.

[schlichtanders]

I am also running into this.

Some notes:

• I couldn't find any documentation about /new?state=, so this probably won't work.
• you can set setup-url or callback-url (if you activated authorization as part of isntallation) to have a redirect ON THE FIRST INSTALLATION
• Second time, the app will already be installed, and the very same url unfortunately points to the settings page of the installation, instead of redirecting automatically in order to realize an authorization flow.

I am currently trying to figure out a way how to automate this kind of... my best guess is to first try user authorization and then after having the user you can check whether the user already installed the app and if not redirect to the installation.

[pieterbreed]

Thank you for your response. I tried to add callback_url and setup_url as query parameters to the github.com/apps/<our-app-name>/installations/new?state=<some-stuff> url, but those did not work. It seems the URL that the user is redirected to after first installation is part of the app's config.

Regarding docs for /new?state=, visit https://docs.github.com/en/apps/sharing-github-apps/sharing-your-github-app#sharing-your-github-app-via-an-install-link and look at point pt 8 where the state parameter is described.

[Yashasv-Prajapati]

Did you find any fix for this? I have tried several things but could not find anything till now :(

[lalitr091]

@pieterbreed did you get any workaround for this. I am also in a similar scenario where I want to redirect to 2nd callback url after user authorizes app installation but it always redirects to the first callback url.

[pieterbreed]

I did not achieve this outcome. In our app we gave the user 3 choices, default which is install & authorize, then Retry Installation & Retry Authorization. Authorization allows you to customize the callback URL and we just learnt to live with this shortcoming.

[horlah]

Actually, this was catered for (maybe recently updated), I guess we all missed it.

Instead of adding multiple callback URL fields here and/or trying to specify it in the installation URL somehow, you should instead uncheck the "Request user authorization (OAuth) during installation" checkbox below the "Callback URL" input and add the callback URL for your Github App installation redirect to the "Setup URL (optional)" input field in the "Post installation" section.

[horlah]

@iamnotstatic see here.

[iamnotstatic]

I see, thanks for pointing that out. However, this approach only works for the initial app installation. Subsequent user actions after installation redirect them to the configuration page instead of the redirect uri

[iamnotstatic]

Did anyone find any fix for this? I have tried several things but could not find anything till now, essentially for the subsequent redirect when the user already has the app installed :(

[simdd]

Hi, did you finally settle it? I have the same problem. It would be nice if you could redirect back whether you installed it or not

[dagan-bronstein-work]

We also have this problem. Anyone know? I realize that there needs to be a way for a user to further fine-tune their settings (e.g. if they selected only one repo, sending to the installation for the 2nd or 3rd time, it may be because they want to add yet another repo).

But the user needing to click "Save" in the settings page to initiate the redirect is a very odd user experience and many users don't understand what they need to do in order to proceed.

Furthermore, if the user selected "All repositories", there really is no need for the installation. It would be ideal if we had a way, using only an installation token, somehow check the permissions of the client that wants to authenticate in order to decide whether we want to proceed to settings or whether we have all the perms we need and should skip to the next step.

We could mimic this ourselves, but only if we allow a user to have only one github user connected on our end. We are incapable of knowing whether the user intends to choose a different account. The flow of the the old OAuth is ideal for this purpose. You ask for permission, and you are either immediately redirected if it is already given, or if you are logged into multiple accounts, you are prompted to choose one. And you are only prompted to grant acceess if the account you chose is not already authorized.

[na47io]

i've got this option in my configuration

[Yashasv-Prajapati]

A naive workaround I found (and used in my side project) was to

1. Check if they have the GitHub app installed by fetching all users and searching in that list, I'm not sure if the searching could be optimized by somehow using binary search or some algorithm, but still if you have billions of users, this would take a lot of time to even process, let alone get the response via GitHub's REST get API . However, If the numbers of users are not significantly high, i think this will work just fine.
2. If the app is installed, request the access token or anything else using the code that GitHub provides in the url parameters. Redirect them to your dashboard.

[Sammy-T]

Like @Yashasv-Prajapati suggested, I'm also using a method that checks if the app was installed.

In my app's settings, I have Callback URL and Setup URL set to the same url for my dashboard. Then:

1. I have a button that redirects to authorization. (If the app's already authorized it'll redirect back to the dashboard with the auth code)
2. Check if the page was redirected to from an installation. (Looking for the setup_action param)
   1. If it was, the app should already be authorized and installed on the account, so automatically perform step 1 to retrieve an auth code.
3. Check for the code and state. Then exchange the code for a token.
4. Make a request for the user's installations and check if the user has the app installed.
   1. If it isn't installed, redirect to the app's install page. (If possible, delete the current token before redirecting)
5. The app is authorized, installed, and has a valid token.

This approach is far from ideal but it seems to work decently enough for my needs.

[Geflic]

When Request user authorization (OAuth) during installation is enabled, GitHub seems to always redirects to the first Callback Url you set in your app settings, regardless of any redirect_uri parameters you pass.

My workaround, makes use of the fact that the state query param is persisted across the install and redirect, so you can "embed" the desired redirect url in the state.

1. Set the first Callback Url in the app settings to a redirect page hosted on your domain:
   https://your-domain.com/redirect/
2. Generate a random state, join it with your redirect url and use the whole thing as your state parameter when installing
   github.com/apps/<our-app-name>/installations/new?state=<RANDOMSTATE><DESIRED_REDIRECT_URL>
3. On your redirect page read the state query parameter, split it to the RANDOMSTATE and DESIRED_REDIRECT_URL and redirect to your desired url with all the needed query params

Super hacky but the best you can do for now

[smith-kyle]

why include a random state value at the beginning of the string?

Oh, to ensure you're still protecting against cross site forgery attacks?

[Johnzi001]

I've been dealing with similar issues. I found that setting the setup_url works for the first installation, but after that, users are just redirected to the settings page. I’m experimenting with using the state parameter to encode the desired redirect URL and then splitting it on a custom redirect page. Not perfect, but it’s been working so far.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[RihanArfan]

The question is still relevant