Github app setup URL security warning unclear

[matt-allan]

Code of Conduct

• I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/about-the-setup-url

What part(s) of the article would you like to see updated?

The docs for the setup URL state that I need to use the user's access token to verify the installation_id:

Instead, you should generate a user access token for the user who installed the GitHub App and then check that the installation is associated with that user

However, if I check "Request user authorization" I am not allowed to enter a setup URL, as per this page.

According to this page, I need to use a setup URL if I am building a marketplace app.

So how should I verify the installation_id if I can't request user authorization?

I gathered from this page that I should immediately send them through the authorization flow. Is the idea that I keep track of the installation_id in the user's session, wait for them to come back from the authorization flow, and then check it against /user/installations when they come back?

Additional information

No response

[welcome]

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

[Sharra-writes]

Thanks so much for opening an issue! I'll get this triaged for review

[github-actions]

Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert 👀

[Sharra-writes]

@matt-allan After looking into this, I believe this question would best be handled by our support team, since the Docs team isn't equipped to answer the questions you're asking. Please reach out to them.

If you find out there's definitely something wrong in the steps outlined by the docs, or think of a better way to direct users to do what you want to do, please feel free to open another issue to offer up those changes. 💛