Privacy issue using github Oauth, inappropriate permission request
stepd
Posted on
Dec 03 2015
Hi,
right after creating an account and using Oauth via my Github account (permissions: access user email addresses (read-only)), I got logged in correctly and could use the app.
However, as soon as I logged out and tried to log back in, I was requested the following authorization from Github, and I cannot find a way to access your service without giving you Read/Write access to all my public and private repositories.
This is a big privacy concern (and security issue if your system ever gets hacked). Please let me log in using Github Oauth without requesting read/write access to all my private repos and remove the condition that would ask other users to give away their github read/write access without an explicit request from them.
( I attached the screenshot too in case the image hosting removes it )
Jamie Penney
Posted on
Dec 07 2015
Hi,
We've got a bit of a problem with Github's OAuth system - it doesn't handle privilege escalation very well. We need repo access for our Github integrations (issue tracking integration and commit information as part of deployment tracking).
In a perfect world, we would be able to say to Github "This user wants to log in; we need read access to their email address for this, but if they've already given us a higher access level then leave it at that". Unfortunately that's not what happens. If we put the lesser scope on the login action, then it removes any other permissions you've given us and replaces them with the lesser scope. This means that deployment tracking stops working, and you have to re-auth every time you want to access linked Github issues.
Unfortunately there's no way to tell before you've logged in whether you're using these features, so we don't know in advance whether to ask Github for the extended permissions or not. I've talked to their support team about this and it's on their radar, but they don't have a solution for it yet.
The other problem is they don't (or didn't when we wrote it at least) have a scope that lets us just access the information we want (our integration reads and writes webhooks, reads commits, and writes issues).
I guess we didn't change the scope on the "Sign Up with Github" action so it only asked for the reduced permission set when you first signed up. The "Log In with Github" action on the login screen uses the extended scope, which is why you would have seen the screen above.
So the short version of all this is, there's no way for us to let you log in with just read email permissions without breaking our Github integrations.
Cheers,
Jamie