Security updates - app visibility and internal behavior for tokens (#56240)

hpsin · jules-p · Copilot · web-flow · commit 0b291aae6cb4 · 2025-06-30T13:33:05.000Z
Co-authored-by: Jules &lt;19994093+jules-p@users.noreply.github.com&gt;
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
Co-authored-by: mc &lt;42146119+mchammer01@users.noreply.github.com&gt;
diff --git a/content/admin/managing-iam/understanding-iam-for-enterprises/abilities-and-restrictions-of-managed-user-accounts.md b/content/admin/managing-iam/understanding-iam-for-enterprises/abilities-and-restrictions-of-managed-user-accounts.md
@@ -38,8 +38,6 @@ With {% data variables.product.prodname_emus %}, you can control the user accoun
 * Can purchase and install paid {% data variables.product.prodname_github_apps %} only if the {% data variables.enterprise.prodname_managed_user %} is an enterprise owner.
 * Can create {% data variables.product.prodname_github_apps %} and {% data variables.product.prodname_oauth_apps %}.
 
-  {% data reusables.emus.oauth-app-note %}
-
 ## {% data variables.product.prodname_github_codespaces %}
 
 * On {% data variables.product.prodname_dotcom_the_website %}, {% data variables.enterprise.prodname_managed_users %} can only create codespaces that are owned by the enterprise. This means that {% data variables.enterprise.prodname_managed_users %}:
diff --git a/content/apps/creating-github-apps/about-creating-github-apps/about-creating-github-apps.md b/content/apps/creating-github-apps/about-creating-github-apps/about-creating-github-apps.md
@@ -49,9 +49,9 @@ Once you have written the code for your {% data variables.product.prodname_githu
 
 To use your {% data variables.product.prodname_github_app %}, you need to install it on your organization or personal account.
 
-* If your {% data variables.product.prodname_github_app %} is **private**, you can only install it on the account that owns the app.
-* If your {% data variables.product.prodname_github_app %} is **public**, other users and organizations can also install it.{% ifversion enterprise-apps-public-beta %}
-* If your {% data variables.product.prodname_github_app %} is owned by an **enterprise**, you can install it on any organization within that enterprise.{% endif %}
+* If your {% data variables.product.prodname_github_app %} is **private**, you can only install it on the account that owns the app. {% ifversion restrictive-app-authz %}If it's owned by an organization, only members of the organization can sign in to it. If it's owned by your user account, only you can sign in to it.{% endif %}
+* If your {% data variables.product.prodname_github_app %} is **public**, other users and organizations can also install it. Anyone can sign in to it.{% ifversion enterprise-apps-public-beta %}
+* If your {% data variables.product.prodname_github_app %} is owned by an **enterprise**, you can install it on any organization within that enterprise.{% ifversion restrictive-app-authz %} Only members of the enterprise can sign in to it.{% endif %}{% endif %}
 
 For more information, see [AUTOTITLE](/apps/using-github-apps/installing-your-own-github-app) and [AUTOTITLE](/apps/sharing-github-apps/sharing-your-github-app).
 
diff --git a/content/apps/creating-github-apps/registering-a-github-app/making-a-github-app-public-or-private.md b/content/apps/creating-github-apps/registering-a-github-app/making-a-github-app-public-or-private.md
@@ -22,9 +22,9 @@ shortTitle: Visibility
 
 ## About visibility for {% data variables.product.prodname_github_apps %}
 
-A {% data variables.product.prodname_github_app %} can be {% ifversion fpt %}public or private{% elsif enterprise-apps-public-beta %}public, private, or internal{% endif %}.{% ifversion fpt or ghec %} If you set your {% data variables.product.prodname_github_app %} registration to public, any user on {% data variables.product.github %} can install it. If you set your {% data variables.product.prodname_github_app %} registration to private, it can only be installed on the account that owns the app.
+A {% data variables.product.prodname_github_app %} can be {% ifversion fpt %}public or private{% elsif enterprise-apps-public-beta %}public, private, or internal{% endif %}.{% ifversion fpt or ghec %} If you set your {% data variables.product.prodname_github_app %} registration to public, any user on {% data variables.product.github %} can install it and authorize it. If you set your {% data variables.product.prodname_github_app %} registration to private, it can only be installed on the account that owns the app. Only members of the organization that owns it can authorize it.
 
-{% elsif ghes %} If you set your {% data variables.product.prodname_github_app %} registration to public, anyone on your {% data variables.product.prodname_ghe_server %} instance can install it, but the app is not available outside of your instance. If you set your {% data variables.product.prodname_github_app %} registration to private, it can only be installed on the account that owns the app.{% endif %}
+{% elsif ghes %} If you set your {% data variables.product.prodname_github_app %} registration to public, anyone on your {% data variables.product.prodname_ghe_server %} instance can install it, but the app is not available outside of your instance. If you set your {% data variables.product.prodname_github_app %} registration to private, it can only be installed on the account that owns the app. {% endif %}
 
 {% ifversion enterprise-apps-public-beta %}
 {% data variables.product.prodname_github_apps %} owned by an enterprise account{% ifversion ghec %}, or by a {% data variables.enterprise.prodname_managed_user %} in an enterprise,{% endif %} have "internal" visibility. Internal apps can only be installed by organizations within the enterprise and authorized by users within the enterprise. Members of the enterprise and unaffiliated users can authorize these apps, but outside collaborators cannot.
diff --git a/content/apps/oauth-apps/building-oauth-apps/best-practices-for-creating-an-oauth-app.md b/content/apps/oauth-apps/building-oauth-apps/best-practices-for-creating-an-oauth-app.md
@@ -42,12 +42,10 @@ After signing in a user, app developers must take additional steps to ensure tha
 
 ### Verify a user's access to your app
 
-Your OAuth app can be accessed by users outside your organization or enterprise. If you intend an app to be used only by members of your organization or enterprise, you should check the user's membership status when the user signs in to your app.
+{% ifversion ghec %}An {% data variables.product.prodname_oauth_app %} created by a {% data variables.enterprise.prodname_managed_user %} or {% data variables.enterprise.prodname_emu_org %} can only be accessed by members of the enterprise that owns those accounts. Otherwise, your{% else %}Your{% endif %} OAuth app can be accessed by users outside your organization or enterprise. If you intend an app to be used only by members of your organization or enterprise, you should check the user's membership status when the user signs in to your app.
 
 To find the list of organizations a user is a member of, you can use the "List organizations for the authenticated user" endpoint. Then you can validate this list against a list of approved organizations for your app. For more information, see [AUTOTITLE](/rest/orgs/orgs#list-organizations-for-the-authenticated-user).
 
-{% data reusables.emus.oauth-app-note %}
-
 ## Secure your app's credentials
 
 With a client secret, your app can authorize a user and generate user access tokens. These tokens can be used to make API requests on behalf of a user.
diff --git a/content/apps/using-github-apps/saml-and-github-apps.md b/content/apps/using-github-apps/saml-and-github-apps.md
@@ -1,25 +1,29 @@
 ---
 title: SAML and GitHub Apps
 shortTitle: SAML with apps
-intro: "If your organization uses SAML SSO, you may need to start an active SAML session for your organization before authorizing, installing, or requesting a {% data variables.product.prodname_github_app %}."
+intro: "If your organization is SSO protected, you may need to start an active SSO session for your organization before authorizing, installing, or requesting a {% data variables.product.prodname_github_app %}."
 versions:
   ghec: '*'
 topics:
   - GitHub Apps
   - SSO
 ---
 
-## Authorizing {% data variables.product.prodname_github_apps %} for SAML users
+## Authorizing {% data variables.product.prodname_github_apps %} for users
 
-If your organization uses SAML SSO, you may not be able to see your organization's resources after you authorize a {% data variables.product.prodname_github_app %}. For example, if the app displays a list of repositories, you may not see repositories owned by your organization. To resolve this issue, follow these steps:
+If your organization or enterprise uses SSO, you may not be able to see your organization's resources or enterprise's `internal` resources after you authorize a {% data variables.product.prodname_github_app %}. For example, if the app displays a list of repositories, you may not see repositories owned by your organization. To resolve this issue, follow these steps:
 
-1. Go to `https://github.com/orgs/ORGANIZATION-NAME/sso` to start an active SAML session for your organization. Replace `ORGANIZATION-NAME` with the name of your organization.
+1. Go to `https://github.com/orgs/ORGANIZATION-NAME/sso` or `https://github.com/enterprises/ENTERPRISE_NAME/sso` to start an active SSO session for that account. Replace `ORGANIZATION-NAME` or `ENTERPRISE-NAME` with the name of the appropriate account. Attempting to access any resources owned by the account will aso trigger SSO if you don't have a session already.
 1. Revoke your authorization of the {% data variables.product.prodname_github_app %}. For more information, see [AUTOTITLE](/apps/using-github-apps/reviewing-and-revoking-authorization-of-github-apps).
 1. Reauthorize the {% data variables.product.prodname_github_app %}. {% data variables.product.prodname_github_app %} authorization is initiated by the app and varies based on the app. For example, some {% data variables.product.prodname_github_apps %} may have you click on a link or enter a command in your terminal. For more information, see [AUTOTITLE](/apps/using-github-apps/authorizing-github-apps).
 
-## Installing or requesting {% data variables.product.prodname_github_apps %} for SAML users
+SSO can be enforced at the organization or enterprise level. If it's enforced at the enterprise level, having an SSO session with any organization allows access to all organizations. This will appear as a credential authorization on the token for each organization you are a member of at the time of the application authorization.
 
-If your organization uses SAML, you may not see your organization listed when you try to install or request an {% data variables.product.prodname_github_app %} for your organization. To resolve this issue, follow these steps:
+For access to `internal` data in an enterprise, such as repositories, projects, or packages, you must have an SSO session for any organization within that enterprise. Even if the organizations do not use the same SSO provider (for instance, as a result of a merger or acquisition), any organization's SSO session is sufficient for `internal` access.
 
-1. Go to `https://github.com/orgs/ORGANIZATION-NAME/sso` to start an active SAML session for your organization. Replace `ORGANIZATION-NAME` with the name of your organization.
+## Installing or requesting {% data variables.product.prodname_github_apps %} for organizations with SSO
+
+If your organization or enterprise uses SSO, you may not see your organization listed when you try to install or request an {% data variables.product.prodname_github_app %} for your organization. To resolve this issue, follow these steps:
+
+1. Go to `https://github.com/orgs/ORGANIZATION-NAME/sso` or `https://github.com/enterprises/ENTERPRISE_NAME/sso` to start an active SSO session for that account. Replace `ORGANIZATION-NAME` or `ENTERPRISE-NAME` with the name of the appropriate account.
 1. Try to install or request the {% data variables.product.prodname_github_app %} again. For more information, see [AUTOTITLE](/apps/using-github-apps/installing-a-github-app-from-a-third-party), [AUTOTITLE](/apps/using-github-apps/installing-a-github-app-from-github-marketplace-for-your-organizations), and [AUTOTITLE](/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner).
diff --git a/content/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on.md b/content/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on.md
@@ -1,6 +1,6 @@
 ---
 title: About authentication with SAML single sign-on
-intro: 'You can access an organization that uses SAML single sign-on (SSO) by authenticating through an identity provider (IdP).'
+intro: 'You can access an organization that uses single sign-on (SSO) by authenticating through an identity provider (IdP).'
 redirect_from:
   - /articles/about-authentication-with-saml-single-sign-on
   - /github/authenticating-to-github/about-authentication-with-saml-single-sign-on
@@ -11,13 +11,15 @@ topics:
   - SSO
 shortTitle: SAML single sign-on
 ---
-## About authentication with SAML SSO
+## About authentication with SSO
 
-{% data reusables.saml.dotcom-saml-explanation %} Organization owners can invite your personal account on {% data variables.product.prodname_dotcom %} to join their organization that uses SAML SSO, which allows you to contribute to the organization and retain your existing identity and contributions on {% data variables.product.prodname_dotcom %}.
+{% data reusables.saml.dotcom-saml-explanation %} Organization owners can invite your personal account on {% data variables.product.prodname_dotcom %} to join their organization that uses SSO, which allows you to contribute to the organization and retain your existing identity and contributions on {% data variables.product.prodname_dotcom %}.
+
+Access to SSO protected `internal` resources in an enterprise, such as repositories, projects, and packages, requires an SSO session for any organization in the enterprise. This allows code and work to be shared across organizations in an enterprise without requiring users to join each organization.
 
 If you're a member of an {% data variables.enterprise.prodname_emu_enterprise %}, you will instead use a new account that is provisioned for you and controlled by your enterprise. {% data reusables.enterprise-accounts.emu-more-info-account %}
 
-When you attempt to access most resources within an organization that uses SAML SSO, {% data variables.product.prodname_dotcom %} will redirect you to the organization's SAML IdP to authenticate. After you successfully authenticate with your account on the IdP, the IdP redirects you back to {% data variables.product.prodname_dotcom %}, where you can access the organization's resources.
+When you attempt to access most resources within an organization that uses SSO, {% data variables.product.prodname_dotcom %} will redirect you to the organization's SSO IdP to authenticate. After you successfully authenticate with your account on the IdP, the IdP redirects you back to {% data variables.product.prodname_dotcom %}, where you can access the organization's resources.
 
 {% data reusables.saml.resources-without-sso %}
 
@@ -45,9 +47,9 @@ To use a new or existing {% data variables.product.pat_generic %} or SSH key wit
 
 ## About {% data variables.product.prodname_oauth_apps %}, {% data variables.product.prodname_github_apps %}, and SAML SSO
 
-You must have an active SAML session each time you authorize an {% data variables.product.prodname_oauth_app %} or {% data variables.product.prodname_github_app %} to access an organization that uses or enforces SAML SSO. You can create an active SAML session by navigating to `https://github.com/orgs/ORGANIZATION-NAME/sso` in your browser.
+You must have an active SSO session each time you authorize an {% data variables.product.prodname_oauth_app %} or {% data variables.product.prodname_github_app %} in order to access an organization that uses or enforces SSO. If you do not have an active session for an organization that requires SSO when you sign into the app, the app will be unable to access that organization. You can create an active SSO session by navigating to `https://github.com/orgs/ORGANIZATION-NAME/sso` or `https://github.com/enterprises/ENTERPRISE-NAME/sso` in your browser.
 
-After an enterprise or organization owner enables or enforces SAML SSO for an organization, and after you authenticate via SAML for the first time, you must reauthorize any {% data variables.product.prodname_oauth_apps %} or {% data variables.product.prodname_github_apps %} that you previously authorized to access the organization.
+After an enterprise or organization owner enables or enforces SSO for an organization, and after you authenticate via SSO for the first time, you must reauthorize any {% data variables.product.prodname_oauth_apps %} or {% data variables.product.prodname_github_apps %} that you previously authorized to access the organization.
 
 To see the {% data variables.product.prodname_oauth_apps %} you've authorized, visit your [{% data variables.product.prodname_oauth_apps %} page](https://github.com/settings/applications). To see the {% data variables.product.prodname_github_apps %} you've authorized, visit your [{% data variables.product.prodname_github_apps %} page](https://github.com/settings/apps/authorizations).
 
diff --git a/content/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on.md b/content/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on.md
@@ -12,7 +12,7 @@ topics:
   - SSO
 shortTitle: '{% data variables.product.pat_generic_caps %} with SAML'
 ---
-You must authorize your {% data variables.product.pat_v1 %} after creation before the token can access an organization that uses SAML single sign-on (SSO). For more information about creating a new {% data variables.product.pat_v1 %}, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). {% data variables.product.pat_v2_caps %}s are authorized during token creation, before access to the organization is granted.
+You must authorize your {% data variables.product.pat_v1 %} after creation before the token can access an organization that uses SAML single sign-on (SSO). Access to `internal` resources (repositories, projects, and packages) in an enterprise requires an SSO authorization for an organization within an enterprise. For more information about creating a new {% data variables.product.pat_v1 %}, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). {% data variables.product.pat_v2_caps %}s are authorized during token creation, before access to the organization is granted.
 
 {% data reusables.saml.must-authorize-linked-identity %}
 
diff --git a/data/features/restrictive-app-authz.yml b/data/features/restrictive-app-authz.yml
@@ -0,0 +1,6 @@
+# Reference: #6142
+# Restricting app authz based on visibility and EMU policies
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>=3.19'
