Security of GitHub Apps when consumed by Multi-Tenanted applications #58836
Replies: 2 comments
-
thank you! security of GitHub Apps is very important for me |
Beta Was this translation helpful? Give feedback.
-
🕒 Discussion Activity Reminder 🕒 This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions: 1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as 2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own. 3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution. Note: This dormant notification will only apply to Discussions with the Thank you for helping bring this Discussion to a resolution! 💬 |
Beta Was this translation helpful? Give feedback.
-
Select Topic Area
Question
Body
We are looking to implement a GitHub App (Which ill refer to as a GHA) for use by our customers but are having difficulty understanding how consumers would typically make secure use of a GHA in multi-tenanted applications.
Lets say I run a website, MyWidgets.com, and I want companies to be able to connect their GitHub organizations via an MyWidgets GHA. When a user with all the right permissions Installs the MyWidgets GitHub App into their GitHub Organization via the MyWidgets.com website, GitHub Installs the MyWidgets GHA into their organization and from the MyWidgets.com backend we are able to correlate that installation to their MyWidgets company/tenant.
This is great because now the GHA is authenticated on its own, and as people come and go from the company, it continues to function and authenticate, even if the original user who first installed the app leaves the company/tenant.
This great feature of GHA however leaves open some questions due to the "single Installation per org" data model.
Multi Tenanted Scenario
Lets say Steve is a user who has all the right permissions installs the MyWidgets GHA into their Github Organization through the MyWidgets.com web app for their corporate Acme Account. MyWidgets can then interact with that Organisation's repositories on behalf of the GWA, and some of this functionality is exposed through the MyWidgets.com portal when the customer is logged in.
Steve then sets up another MyWidgets account (lets say for personal use) and goes to install the GHA again for that new account linked to his Acme GitHub Org. This is all acceptable since he has the right permissions in GitHub to the Acme Org.
Since a GHA can only be installed once for each GH org, as far as GH is concerned then the MyWidgets app is already installed to the Acme Org so there is nothing further to do.
When Steve is then let go from his company, he has is access to his access to the Acme Account revoked in MyWidgets, but he still has access to his personal account, which itself is still linked to the GHA with the same instance being used by the corporate MyWidgets account. Even though steve has been removed from the Acme GitHub Org, since the GHA itself only has 1 installation in that org, itself not dependent on his account, all Tenants in the MyWidgets side will continue to also have access.
What should we be doing here?
We can keep track of which of our internal Tenants have access to which Instance without any trouble, but since that's purely an internal concern, and the app by design isn't dependent on the access of the user who originally installed it, how do developers of GitHub Apps for use in Multi-Tenanted systems possibly deal with this?
Now I get that this is partly by design, we want the app to continue working once it has been installed, but since from the GH side there can only be one installation per GHA how can these sort of multi tenanted scenarios possibly be managed? So im not necessarily saying this is a bug or design flaw, but what piece of the process am I missing here to ensure proper security?
The only options I see are either
Beta Was this translation helpful? Give feedback.
All reactions