An SSH key added for a user cannot access organizations a user belongs to

[BruceMacD]

Select Topic Area

Bug

Body

It appears as though SSH keys added to a user's account via the API using an OAuth bearer token do not get access to repos that the user has been granted access to via an organization. Is this intended behavior?

API SSH Key Add Behavior

When an SSH key is added via an OAuth client in the API the SSH key can be used to access personal repositories, but not organization level repositories.

1. Authorize an OAuth app with the write:public_key scope.
2. Create an ssh key and set it in the ssh agent.
3. The app uses the user's auth token to add the SSH key via the API.
4. The key can be used but accessing repositories that the user has access to via an organization fails with the error fatal: Could not read from remote repository..

Manual SSH Key Add Behavior

When an SSH key is added explicitly be a user via the UI it can be used to authenticate and perform any actions the user is authorized to do.

1. Create an ssh key and set it in the ssh agent.
2. Add the ssh key via https://github.com/settings/ssh/new
3. Running git commands in a git repository a user has access to via an organization works.

Additional Info

Testing access with an SSH key created via the API works:

ssh -T [email protected]
Hi Name! You've successfully authenticated, but GitHub does not provide shell access.

But fetching repos that belong to an organization fails:

$ git fetch
ERROR: Repository not found.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

I can see that the key was in fact used when running git fetch (screenshot modified as a general example).

[byrneh]

I suspect you may be trying to access a SAML enabled organizations which requires a user PAT or SSH key to be explicitly authorized for an Organization
authorizing-an-ssh-key-for-use-with-saml-single-sign-on

[BruceMacD]

Thanks for the suggestion, I found that it was from the org's third party application access policy from digging around here.

[BruceMacD]

Update:
I found that this was because of the organization's "third-party application access policy". Removing these restrictions means the SSH key added by the application can be used. Bit of a strange restriction in my opinion considering that these SSH keys are added to act on the users behalf.

[nmnWithNucleus]

Hi! I ran into the same problem and your answer cleared my way.

• I have an organization under my profile that I am owner/admin of.
• I have a private repo inside this organization.
• I have also added myself as member in this repo (though owners are always members in every repo of organization).
• Now, when I try to git clone this private repo, I get the same error

ERROR: Repository not found.
fatal: Could not read from remote repository.

• After turning removing restrictions in Third-party application access policy, I was able to successfully clone the private repo.

However, I was wondering if we really want to keep the third-party application access policy in restricted mode, is there a way we can enable the external SSH user to request for the access?