[jrochkind1]

> Currently, when you authenticate with GitHub using OAuth, we request repo scope… As GitHub OAuth integration is designed, it provides us with greater access than we need to get the integration working.

> In an effort to improve the security model of the integration, we are exploring additional enhancements in partnership with GitHub…

Github permissions possibilities continually confuse me, but integrations are always asking for more github permissions than I really want to give them, more than it seems like they should need for the integration; I'm never clear in an individual case if this is because they are doing it wrong, or because github doesn't offer granular enough permissions. Some vendors with integrations in the past, when I've complained, have _claimed_ it's because github does not offer any more granular permission that includes what they need.

This announcement still leaves it unclear which it was in this case.

I wonder if the fallout of this thing will result in github fixing whatever it is about their permissions system that is leading to integrations asking for and getting more permissions than should be required?

I have seen most blame over this kerfuffle focused on heroku, but I suspect github's too blunt integration permissions could use some ire, which might help motivate Microsoft/github to improve things.

[josegonzalez]

Having integrated with Github before - for providing OAuth and pulling private repositories - I will say that they've never really had fine-grained permissions. The scopes are here[1] and from what I can tell, I can't ask for private repo access to a _specific_ repository for a given OAuth token. Maybe this is different for a Github App, but just quickly browsing through their docs, I don't think this is the case either.

    - [1] https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps

[taejavu]

Any idea how Netlify does it? There I can only select from the repos I have granted access to, and if I want to add a new one I click "Configure the Netlify app on GitHub", which opens a window where I can choose which repos to allow access to. Always wondered how that works.

[NoahKAndrews]

They made a GitHub app, which is different from OAuth.

[vorador]

They actually give you fine-grained permissions, down to the single repo access level – but only if you build a Github app. OAuth app don't offer that unfortunately and I assume are considered a bit "legacy".

[glenngillen]

The whole GitHub permission/scope areas has been a big issue for a lot of 3rd party developers for a very long time now: https://github.com/dear-github/dear-github/issues/113

[jrochkind1]

I wonder if these security incidents will encourage them to improve it?

[memset]

Apps let a user specify the specific repos that one can have access to. That’s what we use for our company, tasker.sh.

Furthermore, we basically only ask for the one “mandatory” permission - there are scores of perms you could request when authorizing an app - and that’s just read only access to the code.

[Serow225]

yes, the OAuth scopes are way way too coarse. Even to the point of not being able to separate readonly vs R/W.

GitHub apps are indeed noticeably better. But that doesn’t always help

[tedivm]

I've written a few open source github apps and I've always had to ask for more permissions than I really want simply because Github does not have good enough controls.

[tr1ll10nb1ll]

Currently facing issues with this. I'm having to ask for more permissions than I need. For instance, to access:

  read:org

(need this to list all repos of an org user is in/has created), I need the-

  admin:org

scope which gives me access to, "fully manage the organization and its teams, projects, and memberships."

So yes, definitely not fine-grained permissions I'd say. Useful in recklessly adding more features just because you have access to more data tho haha.