Hacker News new | ask | show | jobs
Ask HN: GitHub login for B2D service?
4 points by bstahlhood 4600 days ago
I have been working on a B2D service. Right now my only login method is GitHub. I thought it made sense, since most seem to be using GitHub for their projects. It will use GitHub as a way to help add services to your development projects.

I wanted to know if this a bad way to go? Should I allow a native login? Various login types?

Thank you for your time and feedback on this issue.
1 comments
cookrn 4600 days ago
I don't have too much specific feedback, but I know one thing that has irked me in the past (and irked users of services I've worked on) is when the OAuth permissions requested are very broad. For example, why request "write" access to a resource if you don't need it? In other words, ask for the bare minimum permissions from the user that your app may require to function.

What stack are you developing in? Maybe there's a solution like https://github.com/intridea/omniauth available that you could utilize if applicable.

Hope that's helpful and good luck :)

link
bmelton 4600 days ago
Having written a couple of Github-based applications, Github permissions are fairly non-granular. My specific complaint with Github oAuth permissions is that if I want read access to private repositories (which I already feel guilty asking for, but genuinely need) I must also request write access (which I have completely no need for, and am uncomfortable having).

You're completely correct in that asking for unnecessary permissions is gauche, but with Github specifically, they make it nearly impossible to be a responsible custodian. It's quite bothersome, and to the extent that I've written an application that I think could have a moderate revenue stream if I released to the world, but I only use it for myself exclusively because I am that uncomfortable asking for write permissions on private repos that I don't need or want.

link
bstahlhood 4599 days ago
Yeah that is my problem too. GitHub seems like a natural fit for a B2D service, but the permissions is a problem. I don't want to piss of devs.
link
bmelton 4599 days ago
Pissing off devs is bad, but yeah, my main thing is that securing a website and database is hard enough, but fairly easy to mitigate.

If an attacker could gain write access to a customer's private repositories though, I feel like that would make an otherwise unattractive service far more of a target.

You're dead on though -- I've wanted to use Github oAuth for at least five different dev-oriented projects, but their permission system just makes it impossible.

link