Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[multiuser] Signup with thin scopes for GitHub. #13916

Closed
monaka opened this issue Jul 19, 2019 · 8 comments
Closed

[multiuser] Signup with thin scopes for GitHub. #13916

monaka opened this issue Jul 19, 2019 · 8 comments
Labels
kind/enhancement A feature request - must adhere to the feature request template. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. severity/P2 Has a minor but important impact to the usage or development of the system.
Milestone
7.x (Later, Futur...

Comments

@monaka
Copy link
Member

monaka commented Jul 19, 2019

Is your enhancement related to a problem? Please describe.

Currently, user must accept to give scopes repo,user,write:public_key to Che.
IMO, this is too strong (or risky) for entry users who don't use full functions.

Describe the solution you'd like

The bast is to enable no scope on their signup/login. (read:user, read:email may be safe.)

And Che asks adding more scope permission to the user logged in when it was required.

I guess it can be implemented by calling add_scopes via PATCH /authorizations/:authorization_id provided by GitHub API.

Describe alternatives you've considered

Additional context
@monaka monaka added the kind/enhancement A feature request - must adhere to the feature request template. label Jul 19, 2019
@skabashnyuk
Copy link
Contributor

@monaka do you know what kind of auth/authorization is required to call PATCH /authorizations/:authorization_id ?

@monaka
Copy link
Member Author

monaka commented Jul 19, 2019
edited

@skabashnyuk I checked the official document and ...

You can only access this API via Basic Authentication using your username and password, not tokens.

Hmm, my approach won't fit to Che.
But I believe there will be the another way to do it because GitPod do.
After I approved more scopes, GitHub send me the mail like this.

Screenshot 2019-07-19 at 15 19 51

@monaka
Copy link
Member Author

monaka commented Jul 19, 2019

I inspected Gitpod in shallow. It looks just calling https://github.com/login/oauth/authorize with newly required scopes, redirect_url, and some more parameters.

@rhopp
Copy link
Contributor

rhopp commented Jul 19, 2019

@skabashnyuk Do you think we should trigger something like this for GA? To me it seems like nice enhancement, but I'm not sure we add another enhancement into GA.
Maring this one as sev2 & Che 7.1 milestone for now.

@rhopp rhopp added team/platform severity/P2 Has a minor but important impact to the usage or development of the system. labels Jul 19, 2019
@rhopp rhopp added this to the 7.1.0 milestone Jul 19, 2019
@skabashnyuk
Copy link
Contributor

Do you think we should trigger something like this for GA

No, because we need to figure out if that possible at all. I mean manipulation of token scopes on Kyecloak side.

@monaka
Copy link
Member Author

monaka commented Jul 20, 2019

I agree. It's enough to be realized on 7.1.0 or later.

@slemeur slemeur modified the milestones: 7.1.0, 7.x Aug 2, 2019
@slemeur
Copy link
Contributor

slemeur commented Aug 2, 2019
edited

Downgrading the priority. This is a very good enhancement request which will need to get prioritized - but regarding the other areas that needs hardening, this has a lower impact right now.

@che-bot
Copy link
Contributor

che-bot commented Jan 29, 2020

Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.

Mark the issue as fresh with /remove-lifecycle stale in a new comment.

If this issue is safe to close now please do so.

Moderators: Add lifecycle/frozen label to avoid stale mode.

@che-bot che-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 29, 2020
@che-bot che-bot closed this as completed Feb 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement A feature request - must adhere to the feature request template. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. severity/P2 Has a minor but important impact to the usage or development of the system.
Projects
None yet
Milestone
7.x (Later, Future, Never)
Development

No branches or pull requests
5 participants
@monaka @rhopp @skabashnyuk @slemeur @che-bot