Problem/Motivation

Currently the default scopes requested are user and user:email, which issues a token with write access to the user's account. This is likely a historical curio as I imagine these scopes were required at some point to get the necessary user data for authentication. Now, however, read:user is available and presents the user a much less scary (and more appropriate for social auth) approval page.

Steps to reproduce

n/a

Proposed resolution

Change default scope to read:user, and provide an upgrade path with note for existing sites so as to not break current integrations depending on the existing scopes.

Remaining tasks

Maintainer review.

User interface changes

API changes

Data model changes

Default scopes changed with upgrade path.

Issue fork social_auth_github-3220640

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

bradjones1 created an issue. See original summary.

bradjones1 opened merge request !1

bradjones1’s picture

bradjones1
Primary language English
commented
Status: Active » Needs review
bradjones1’s picture

bradjones1
Primary language English
commented

Reference:

https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-fo...

wells’s picture

wells
he/him/his
Primary language English
Location Seattle, WA
commented

The email is required (sort of?) for user authentication -- see GitHubAuthController.php#L87. It's unclear to me from the documentation -- does this scope still provide access to the email?

bradjones1’s picture

bradjones1
Primary language English
commented
Status: Needs review » Needs work

> It's unclear to me from the documentation -- does this scope still provide access to the email?

It is a bit unclear - let me double-check this.

bradjones1’s picture

bradjones1
Primary language English
commented
Title: Only request read:user scope by default » Only request user:email scope by default
Status: Needs work » Needs review

So the answer here is yes, it does include email... but that begs the question, do we even need the broader scope or just the email?

Below is an example of the response for my account with the user:email scope, and it's more than sufficient for social auth because it includes other public info:

{
  "login": "bradjones1",
  "id": 981966,
  "node_id": "redacted",
  "avatar_url": "https://avatars.githubusercontent.com/u/981966?v=4",
  "gravatar_id": "",
  "url": "https://api.github.com/users/bradjones1",
  "html_url": "https://github.com/bradjones1",
  "followers_url": "https://api.github.com/users/bradjones1/followers",
  "following_url": "https://api.github.com/users/bradjones1/following{/other_user}",
  "gists_url": "https://api.github.com/users/bradjones1/gists{/gist_id}",
  "starred_url": "https://api.github.com/users/bradjones1/starred{/owner}{/repo}",
  "subscriptions_url": "https://api.github.com/users/bradjones1/subscriptions",
  "organizations_url": "https://api.github.com/users/bradjones1/orgs",
  "repos_url": "https://api.github.com/users/bradjones1/repos",
  "events_url": "https://api.github.com/users/bradjones1/events{/privacy}",
  "received_events_url": "https://api.github.com/users/bradjones1/received_events",
  "type": "User",
  "site_admin": false,
  "name": "Brad Jones",
  "company": null,
  "blog": "",
  "location": "USA",
  "email": "brad@bradjones.name",
  "hireable": true,
  "bio": "Web (mostly PHP ecosystem) and DevOps developer.\r\n\r\nCTO at Fruition.",
  "twitter_username": "bradrjones",
  "public_repos": 107,
  "public_gists": 9,
  "followers": 12,
  "following": 15,
  "created_at": "2011-08-15T21:00:22Z",
  "updated_at": "2021-06-25T23:30:11Z"
}

  • wells committed 61e023d on 3.x authored by bradjones1 
    Issue #3220640: Only request read:user scope by default
wells’s picture

wells
he/him/his
Primary language English
Location Seattle, WA
commented
Status: Needs review » Fixed

Merged! Thanks for your efforts reaching this and creating the MR.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.