Why does Github login asks for so much info?


(Paolo G. Giarrusso) #1

If I try to login with Github, Discourse asks for a hell of a lot of authorizations (including my list of followers, which it certainly doesn’t need). In comparison, logging in with Google asks for just my basic profile and email.

I actually guess it’s in fact all public information - but it still looks scary. Is this something Discourse can change, or should I file an issue with Github about their interface design?

Or is this about using OAuth instead of OpenID, which is actually designed for login?


(Kevin P. Fleming) #2

This is driven by GitHub, not Discourse.


(Erlend Sogge Heggen) #3

Doesn’t Discourse play a part in which permissions it’s asking for from the GitHub OAuth though?


(Michael John Kirk) #4

Discourse is just using the omniauth-github plugin

Based on that code, I’m not immediately sure why it’s requesting your list of followers.


(Sam Saffron) #5

We are really only asking for email:

Perhaps @chrishunt can clues us up to what we are doing wrong here :slight_smile:


(Paolo G. Giarrusso) #6

TL; DR. The problem must be then with Github interface, showing all the public information you can learn once you know my username. If you don’t even get access to that, then it’s a functional bug.

I saw the same permission requests when setting up login with an instance of Jenkins (an integration server).

For instance, you can learn about my followers as soon get my Github username, since that’s public information once you know the username. For example, see



(Chris Hunt) #7

All public info is available on the API, even with no scope specified. The scopes are used to grant additional access. In this case, we need the email address (which is not public), so the user:email scope is necessary. Notice that everything is marked as read-only.

http://developer.github.com/v3/oauth/#scopes

  • (no scope) public read-only access (includes public user profile info, public repo info, and gists)
  • user:email Read access to a user’s email addresses.

I agree the interface can be a bit confusing, but the info is public, so it’s not a lie. Discourse can fetch your follower list if it wanted to (or your public gists, or public repo list), so it’s probably best to show that info on the permissions screen rather than hide it.


(Paolo G. Giarrusso) #8

That’s what I suspected, so I guess I should talk with Github, as I feared:

Man, how do I miss an issue tracker for Github. And yes, I know I’m nitpicking.


(Jeff Atwood) #9

I think this is now fixed? We now request and get a validated email as well.


(Sam Saffron) #10

Confirmed, this is now totally fixed

Sadly we are on a forked gem while omniauth github decide the fate of our pr


#11

Sorry for the bump… I was just curious to know if this fork is still needed.

Just out of curiosity and maybe an easy excuse to open a PR and start contributing :smiley:


(Sam Saffron) #12

Not sure @riking did they ever sort it out?


(Kane York) #13

Well, #48 was merged so I think so, yes.