New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub Desktop authentication primarily through browser flow #9231
Comments
This comment has been minimized.
This comment has been minimized.
DesignsTransition stateFor the period of time when we're transitioning, we'll need to emphasize the browser log in flow, while still keeping the normal login flow Welcome screenThis moves all the login options to the first screen, and emphasizes the GitHub.com option. PreferencesThe initial login screen should stay the same: Then on this screen, I flipped the options and emphasized the GitHub.com option. Final stateFor when the transition is complete, and the only option is to login using your browser Welcome screenAfter the transition is complete, we can remove the login fields PreferencesAfter the transition is complete, we can just surface the GitHub.com option directly on this screen. Interstitial pageThe page on dotcom we send you to for the browser login. I left these Help links just as an idea based on other login flows I looked at, so we can change these or remove them entirely if they're not needed. |
This comment has been minimized.
This comment has been minimized.
I'm going to work on this one, by first implementing the transition state designed by @ampinsk |
I shared with @niik today that ideally we would keep the alternative method available until it's actually deprecated so we can use the brownout periods to identify any problems and address them. He shared that ideally we would add support for detecting when dotcom doesn’t support basic auth any more and dynamically enable/disable the username/password flow based on that. That way we’ll adapt during the brownouts and Desktop will automatically adapt to any changes in the deprecation timeline. This sounds like a great approach to me assuming the implementation isn't too complex. @ptoomey3 or @tarebyte: We use the @niik Please feel free to add or correct anything I missed, and if anyone else has questions please don't hesitate to ask. |
TIL |
@ptoomey3 It's possible that the meaning of that property have changed over time but it was originally added specifically for GitHub Desktop (or rather GitHub for Mac/GitHub for Windows) to be able to determine whether we'd have to use the web flow to authenticate. GHfW/GHfM and GHD have relied on it since 2013 but only for GHES. Our API documentation for the property says
|
👍 - I think the bit that felt ambiguous to me was the "Whether authentication with username and password is supported." documentation. It isn't clear authentication to what? One might think "to the API" is obvious/implicit, but wasn't 100% sure since that meta endpoint returns other data totally unrelated to the API itself (ex. SSH server key fingerprints). |
@ptoomey3 Yeah, I think ambiguous is an understatement here and if I hadn't been there for the discussions to add it way back when I wouldn't have been able to make heads or tails of it either. We've just merged #10020 which makes Desktop respect |
Based on #10020 would it be accurate to say that users using basic password auth should upgrade to GitHub Desktop 2.5.4 or later? |
Yes, starting in v2.5.4 GitHub Desktop will disable the user/password authentication once GitHub doesn't support it anymore (note that GitHub Desktop has supported browser-based authentication for quite a long time, but the main way users authenticated was still using user/password). |
GitHub is deprecating and removing the authorizations API, which handles how most users of GitHub Desktop sign into GitHub from the app. We've always had a secondary method of authenticating via the browser, but we'll need to make this the main authentication method going forward.
Considerations
The text was updated successfully, but these errors were encountered: