OAuth App permissions in an organization

[capeccino]

Select Topic Area

Question

Body

I have a doubt concerning third-party OAuth App integrations that are approved for use in an organization.

Does an approved app run under the context of the user who logs into it or under the context of the organization owner who approved it? I would think the app would be restricted to the logged in user's context. But in this article about the differences between GitHub Apps and OAuth Apps it states:

If an organization application policy is active, only an organization owner can authorize the installation of an OAuth App. If installed, the OAuth App gains access to anything visible to the token the organization owner has within the approved organization.

Does that mean that an approved OAuth App could allow an organization member to bypass their normal restrictions?

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬