Our goal is to get all sorts of private information from a GitHub authenticated login.

1. Create an AOuth app and request authorization with the correct scope

First, create an AOuth app from:

• https://github.com/settings/developers

For reading private members of an organization, read:org scoped access token needs to be requested when authorizing. For example, with Github-Flask, do:

github.authorize(scope="read:org")

For a detailed list of what scopes enables access to what, see here.

After a successful authentication, GitHub will callback with an access token, which then needs to be applied in the requests that you make.

$ curl -H "Authorization: token OAUTH-TOKEN" https://api.github.com/users/codertocat

For details on the whole OAuth app workflow, see:

• https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/#web-application-flow

2. For organization to grant access

When a authorizing request is sent with scope read:org, the authentication step will include the organization access below:

We need to hit the Request button there, and then as admin of organization, grant access to this at:

• https://github.com/organizations/{org}/settings/oauth_application_policy

Only then, will the access token we retrieved earlier be able to retrieve the full list of members from an organization with:

$ curl -H "Authorization: token OAUTH-TOKEN" https://api.github.com/orgs/:org/members

For details on the member API, see docs here:

• https://developer.github.com/v3/orgs/members/#check-membership

Bugshooting

If the length of the member list is longer than 50, you might still not get the full list. In which case, use the per_page and page parameters:

• https://developer.github.com/v3/guides/traversing-with-pagination/#changing-the-number-of-items-received