-
Notifications
You must be signed in to change notification settings - Fork 362
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GitHub] Set JH user's email with non-public email if needed and granted scope to do so #442
Conversation
This allows emails to be read and set in the state dictionary when scope is authorized. closes jupyterhub#438
Thanks for submitting your first pull request! You are awesome! 🤗 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @satra for working on this! ❤️ 🎉
Overall I think this make sense! There are some technical details I'd hope to get implemented in a robust way directly in this PR as I believe this PR is going to lead the way for additional PRs and become a pattern to make further use of the /user endpoint that returns more details about the user.
Suggested changes
- Include
user
alongisdeuser:email
in the check to decide if collecting additional information from the user endpoint is relevant. - I'd like the comment on line 194-195 to reflect the difference between the single public email, and the plural private emails
- I'd like to know this is at least manually tested against a user with multiple private emails registered, and that we understand the return value in those circumstances. Based on the code it seems like we get a primary email, then I think the action point I ask for is to clarify that while
user:email
provides info about all emails, we only use the primary email. - Update PR description to include mentioning of https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes as a reference about this
Open questions
self.scope
is checked, but I think this is what the user has requested, not what was granted. Is there a point where we update self.scope
(the server's spawner object's scope field) or where we keep track of the granted scopes vs the requested scopes?
There is no point for us to make a request if the granted scope lacks permissions, so can we acquire the granted scopes from the response when we get the token to call the /user endpoint perhaps?
@consideRatio - changing the logic to first check if public email is set, and relying on HTTP error rather than scope to set the email. i could not figure out a way to determine what scopes were granted, and it seemed simpler to rely on the endpoint. |
nevermind, found how to get scopes. so the current state should cover your comments. |
Co-authored-by: Erik Sundell <erik.i.sundell@gmail.com>
Co-authored-by: Erik Sundell <erik.i.sundell@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great! Thanks for your thorough work @satra! This will be included in 14.1.0 release coming this week I hope.
This allows emails to be read and set in the state dictionary when scope is authorized.
closes #438
Related references
The
scope
field in the JSON response when acquiring the access token is not always present it seems.