Join GitHub today
Read-Only OAuth Scope on GitHub, Please? #6
We love @github. Our processes all revolve around GitHub.
Naturally by extension, we love the GitHub API, because it allows us to do creative things with GitHub.
So far, we have built a few apps that rely heavily on GitHub's API:
Let's talk about permissions next.
For both deppbot and Dasherize, we require access to both public and private repos.
Looking at GitHub's OAuth scopes, we'll need to use the
Hmm.. But wait a minute.. The
Due to the nature of deppbot, we'll need
However, all Dasherize does is
So isn't it intrusive to require
As a user, I would like all apps to only require the lowest level of permission that it needs to operate.
As a developer, I am taking on unnecessary liability when my app has permissions that it doesn't need.
Of course, we are not the first to create apps that use GitHub API, and this has been a common issue for both users and app developers for a while, for example:
By design, GitHub API does not provide any Read-only OAuth scope for public and/or private repos. Once you ask for permissions to either public and/or private repos, you'll get both
There are definitely work arounds, as mentioned in some of the links above:
This means that the app shall only ask for permissions when it requires it.
Let's use @houndci as an example.
When you first sign up, @houndci only asks for access to your email and public repos
Then, it provides you with the option to "Include Private Repos".
Clicking on that, you can now grant @houndci access to both public and private repos
In this way, you only grant @houndci necessary permissions when it requires it.
But this still doesn't solve the problem if my app just requires a
Alternatively, maybe a manual setup of collaborators might help?
When you add a collaborator to a GitHub repo, the collaborator naturally has
What about Teams (for Organization repos only)? Can it grant Read-only permissions?
Yes. That might help!
You can create a special Team in the organization, grant the Team a
Recently, GitHub also added Read-only Deploy Keys, as another option to grant Read-only access to one single repo.
Many are speculating that this eventually lead to a Read-only OAuth scope. I sure hope so.
In summary, we really hope that @github can provide developers with a Read-only OAuth scope, so that app developers don't have to explain ourselves every time we use the
In both deppbot and Dasherize, we are conscious of our decision in asking for
Thank you for reading.
About Jolly Good Code
changed the title from
Read-Only OAUth Scope on GitHub, Please?
Read-Only OAuth Scope on GitHub, Please?
Oct 20, 2015
This is the first non-doc link from google I found when searching for how to get a read only scope.
I agree this is needed, users are going to question why we are asking for write access as well especially since it's highlighted and there's no way for them to know that we are only asking for it because we have no other option.
referenced this issue
Jan 3, 2018
+1! I routinely start to set up integrations, then stop half way because I remember that there's no way to allow an integration read-only access to my GitHub account. Most recent was the Trello and Slack integrations.
The ability to modify code in a repo is basically the highest privilege you could grant, second perhaps only to deleting the repo. Most integrations are convenient tools for bringing GitHub data into other systems. If they need to write data it's probably only comments and PRs. These tools provide a lot of value, but given the security risk of having keys floating around that allow write access to all my repos I sadly have to ignore them all.