We have a GitHub app that can be installed on a repository. This works using the GitHub app authorization flow that returns back an installation_id that we use to associate a user account on our web app with their GitHub repository. In this case we get a callback to our url: /callback?setup_action=install&installation_id=<installation_id>
This typically works fine, but there are some scenarios where the authorization flow doesn't complete in a single step. In many GitHub orgs, it requires approval from an admin before the app can be installed. In these cases we don't immediately get the installation_id in the url but a request state: /callback?setup_action=request, and once the admin approves we get the installation_id.
In this case, since the approval step is completed by a different user, we don't have our web app session to associate the user with this installation_id. Is there a way to identify the user / account of the original request when the authorization is approved?
Have you looked in to preserving a state? https://docs.github.com/en/apps/maintaining-github-apps/installing-github-apps#preserving-an-application-state-during-installation
You can then save the userId/account in that state like so:
Once the setup is complete, the
stateparameter will be included in the callback like so: