Good article and agree with the recommendations, I'm trying to understand the attack flow though. You perform an actual installation and get a valid authorization code, but replace the actual installation ID with another (that the user has no access to)?<p>This is a major issue then from GitHub's side. I think what GitHub should do is just like with Oauth apps, allow you to provide a state (assuming the flow is starting from the SaaS app, not from the GitHub marketplace, I assume you can't send a state since it's sort of like an "IdP initiated" flow in case you start the installation from the github marketplace, but they should let you opt out and require a state. There is a reason why things like PKCE and such exist.