GitHub API v4 Graphql: Get current authorized user organizations and their repositories

Question

In GitHub API v3 with repo and user authorization scopes, I can get my organizations with GET /user/orgs (https://developer.github.com/v3/orgs/#list-organizations-for-the-authenticated-user, with Octokit REST JS, octokit.orgs.listForAuthenticatedUser()) and for each organization, to get the repositories which I have access, GET /orgs/:org/repos (https://developer.github.com/v3/repos/#list-organization-repositories, with Octokit, octokit.repos.listForOrg({ org: orgs.data[i].login })).

However, with the same authentication scope (user and repos), running this Graphql query

query getOrgsRepos {
  viewer {
    organizations(first: 10) {
      nodes {
        repositories(first: 10) {
          nodes {
            name
          }
        }
      }
    }
  }
}

Returns

{
  "data": {
    "viewer": {
      "organizations": {
        "nodes": []
      }
    }
  }
}

Graphql Explorer result (https://developer.github.com/v4/explorer/), but running on my JS authed (user and repo scopes) app returns the same empty result

How to have the same behaviour with API v4, without having to give further permissions?

Answer 1

I just ran into this very issue today. Unfortunately, as of the timestamp indicated at the bottom of this answer, GitHub's GraphQL API is not on par with its REST API. The following query would only yield the viewer's public orgs i.e. what an unauthenticated session would show listed on their github.com profile under "Organizations".

query getOrgs {
  viewer {
    organizations(first: 100) {
      totalCount
      nodes {
        name
      }
    }
  }
}

And there is no equivalent of octokit.orgs.listForAuthenticatedUser() in their GraphQL schema which basically fetches the REST endpoint, /user/orgs, to list organizations for the authenticated user. From the docs:

/user/orgs only lists organizations that your authorization allows you to operate on in some way (e.g., you can list teams with read:org scope, you can publicize your organization membership with user scope, etc.). Therefore, this API requires at least user or read:org scope. OAuth requests with insufficient scope receive a 403 Forbidden response.

In other words, with a personal access token with sufficient scopes, /user/orgs returns the same list shown on Your Organizations page. If you're authenticated using an OAuth access token, then the list is pretty much the same as shown under "Organization Access" on the user's Authorized OAuth Apps page for your OAuth app.