New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Read-Only OAuth Scope on GitHub, Please? #6

Open
winston opened this Issue Oct 18, 2015 · 8 comments

Comments

Projects
None yet
9 participants
@winston
Member

winston commented Oct 18, 2015

We love @github. Our processes all revolve around GitHub.

Naturally by extension, we love the GitHub API, because it allows us to do creative things with GitHub.

So far, we have built a few apps that rely heavily on GitHub's API:

  • deppbot
    • A service that does automated dependency updates for Ruby apps, issued as Pull Requests
  • Dasherize
    • A simple dashboard for CI and GitHub stats
  • GitHub Gem Stats
    • A toy app for "Which RubyGems does X use?" and "Which GitHub repo uses Y gem?"

Let's talk about permissions next.

For both deppbot and Dasherize, we require access to both public and private repos.

Looking at GitHub's OAuth scopes, we'll need to use the repo scope.

screen shot 2015-10-16 at 12 21 19 pm

Hmm.. But wait a minute.. The repo scope grants read AND write access to basically everything! Getting read access is probably a must for all apps, but do we need write on everything?

Due to the nature of deppbot, we'll need write permission on public and private repos, so that it can issue Pull Requests when it finishes the dependency update for a project and perform other actions.

However, all Dasherize does is read from public or private repos, and it's not doing any write at all. You can even take a look at the source code to verify that.

So isn't it intrusive to require write permission too? Definitely.

As a user, I would like all apps to only require the lowest level of permission that it needs to operate.

As a developer, I am taking on unnecessary liability when my app has permissions that it doesn't need.

Of course, we are not the first to create apps that use GitHub API, and this has been a common issue for both users and app developers for a while, for example:

By design, GitHub API does not provide any Read-only OAuth scope for public and/or private repos. Once you ask for permissions to either public and/or private repos, you'll get both read and write. What can we do then if we just want Read-only access on GitHub API?

There are definitely work arounds, as mentioned in some of the links above:

Progressive Permissioning

This means that the app shall only ask for permissions when it requires it.

Let's use @houndci as an example.

When you first sign up, @houndci only asks for access to your email and public repos read/write.

screen shot 2015-10-16 at 4 18 16 pm

Then, it provides you with the option to "Include Private Repos".

screen shot 2015-10-16 at 4 19 44 pm

Clicking on that, you can now grant @houndci access to both public and private repos read/write.

screen shot 2015-10-16 at 4 20 19 pm

In this way, you only grant @houndci necessary permissions when it requires it.

But this still doesn't solve the problem if my app just requires a read scope, like Dasherize..

Manual Setup

Alternatively, maybe a manual setup of collaborators might help?

screen shot 2015-10-18 at 3 03 18 pm

Unfortunately not.

When you add a collaborator to a GitHub repo, the collaborator naturally has read and write permissions, and you can't change it.

What about Teams (for Organization repos only)? Can it grant Read-only permissions?

Yes. That might help!

You can create a special Team in the organization, grant the Team a read-only access to the repo,
and now you have a Read-only scope. But in most cases, manual setup is not the best UX experience. 😢

screen shot 2015-10-16 at 4 30 39 pm

Recently, GitHub also added Read-only Deploy Keys, as another option to grant Read-only access to one single repo.

Many are speculating that this eventually lead to a Read-only OAuth scope. I sure hope so.


In summary, we really hope that @github can provide developers with a Read-only OAuth scope, so that app developers don't have to explain ourselves every time we use the repo scope.

In both deppbot and Dasherize, we are conscious of our decision in asking for read write access to public and private repos because we went with the simplest solution for now to validate the ideas. Definitely, we should look into both Progressive Permissing or Manual Setup when the apps get enough traction and feedback from users.

Thank you for reading.

@winston ✏️ Jolly Good Code

About Jolly Good Code

Jolly Good Code

We specialise in Agile practices and Ruby, and we love contributing to open source.
Speak to us about your next big idea, or check out our projects.

@winston winston added the Blog label Oct 18, 2015

@winston winston changed the title from Read-Only OAUth Scope on GitHub, Please? to Read-Only OAuth Scope on GitHub, Please? Oct 20, 2015

@bluta

This comment has been minimized.

Show comment
Hide comment
@bluta

bluta Sep 15, 2016

i would also love to have this - and am now creating a deploy user having only read access to all of our repos needed by our application.
👍

bluta commented Sep 15, 2016

i would also love to have this - and am now creating a deploy user having only read access to all of our repos needed by our application.
👍

@ayurkows

This comment has been minimized.

Show comment
Hide comment
@ayurkows

ayurkows Sep 22, 2016

This is the first non-doc link from google I found when searching for how to get a read only scope.

I agree this is needed, users are going to question why we are asking for write access as well especially since it's highlighted and there's no way for them to know that we are only asking for it because we have no other option.

ayurkows commented Sep 22, 2016

This is the first non-doc link from google I found when searching for how to get a read only scope.

I agree this is needed, users are going to question why we are asking for write access as well especially since it's highlighted and there's no way for them to know that we are only asking for it because we have no other option.

@alexmalik

This comment has been minimized.

Show comment
Hide comment
@alexmalik

alexmalik Feb 24, 2017

I would definitely use this if it was a feature, my app doesn't need the write access that the current repo scope supplies, and as a developer I know I would only want to give the minimum permissions to an app if I were the user of my app.

alexmalik commented Feb 24, 2017

I would definitely use this if it was a feature, my app doesn't need the write access that the current repo scope supplies, and as a developer I know I would only want to give the minimum permissions to an app if I were the user of my app.

@jnieuwhof

This comment has been minimized.

Show comment
Hide comment
@jnieuwhof

jnieuwhof Mar 23, 2017

Plus one on this, breaks principle of least privilege

jnieuwhof commented Mar 23, 2017

Plus one on this, breaks principle of least privilege

@sgen

This comment has been minimized.

Show comment
Hide comment
@sgen

sgen Jul 27, 2017

It looks like this is on the horizon

sgen commented Jul 27, 2017

It looks like this is on the horizon

@ronaldpetty

This comment has been minimized.

Show comment
Hide comment
@ronaldpetty

ronaldpetty May 9, 2018

Can anyone with experience clarify here? I am looking for read only private repo scope, and don't see something like that in roadmap or existing settings. Maybe I am misinterpreting what was stated above.

ronaldpetty commented May 9, 2018

Can anyone with experience clarify here? I am looking for read only private repo scope, and don't see something like that in roadmap or existing settings. Maybe I am misinterpreting what was stated above.

@deftio

This comment has been minimized.

Show comment
Hide comment
@deftio

deftio Jul 18, 2018

I have the same question. When an outside org such as Travis or BlackDuck or whatever wants access to my public repos I just want to give them read access so they can do their thing. I don't see why I would want to give them write access so how do I set that up?

deftio commented Jul 18, 2018

I have the same question. When an outside org such as Travis or BlackDuck or whatever wants access to my public repos I just want to give them read access so they can do their thing. I don't see why I would want to give them write access so how do I set that up?

@BernieSumption

This comment has been minimized.

Show comment
Hide comment
@BernieSumption

BernieSumption Jul 26, 2018

+1! I routinely start to set up integrations, then stop half way because I remember that there's no way to allow an integration read-only access to my GitHub account. Most recent was the Trello and Slack integrations.

The ability to modify code in a repo is basically the highest privilege you could grant, second perhaps only to deleting the repo. Most integrations are convenient tools for bringing GitHub data into other systems. If they need to write data it's probably only comments and PRs. These tools provide a lot of value, but given the security risk of having keys floating around that allow write access to all my repos I sadly have to ignore them all.

BernieSumption commented Jul 26, 2018

+1! I routinely start to set up integrations, then stop half way because I remember that there's no way to allow an integration read-only access to my GitHub account. Most recent was the Trello and Slack integrations.

The ability to modify code in a repo is basically the highest privilege you could grant, second perhaps only to deleting the repo. Most integrations are convenient tools for bringing GitHub data into other systems. If they need to write data it's probably only comments and PRs. These tools provide a lot of value, but given the security risk of having keys floating around that allow write access to all my repos I sadly have to ignore them all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment