Why the OAuth GitHub scope was changed

Maybe you noticed it already that the scope for the OAuth process with GitHub changed. In the beginning VersionEye asked directly at the signup for access to private repositories. Many people didn’t liked that because they don’t wanted to give access to their private repositories. Because of that user feedback the process was changed. At the signup VersionEye only asked for the weakest scope, which doesn’t give access to private repositories, only to public ones. Afterwards it was possible to give VersionEye access to private repositories. Unfortunately this process leads to some problems with paying customers who use VersionEye to monitor private repositories.

Here is the use case which leads to problems. Assume you signup the very first time at VersionEye. The code behind the “Login with GitHub” button looks like this:

page_view('ga_login_with_github'); document.location.href='https://github.com/login/oauth/authorize?client_id=50fb47103b8a3f03b2cd&scope=user:email';

This redirects you to GitHub there you have to allow the VersionEye GitHub App to access your repositories. You confirm and you get redirected back to VersionEye, where you are logged in. Now you would like to monitor some private repositories. You purchase a monthly subscription and grant VersionEye access to your private repositories. So far so good.

Now you log out from VersionEye, for what reasons ever. And a couple days later you login again. Or you login on a different device/Browser. To login you are using the “Login with GitHub” button, which has this code:

page_view('ga_login_with_github'); document.location.href='https://github.com/login/oauth/authorize?client_id=50fb47103b8a3f03b2cd&scope=user:email';

It redirects you to GitHub and is requesting a new token with the scope “user:email”. The callback controller on VersionEye stores the new token with your user account. Now the problem is that the new token is only valid for public repositories. The background workers will try to update your private repositories, but that will fail because the current token doesn’t grant access to private repositories.

Some of the paying customers complaint that their VersionEye project is not updating and not fetching the current files from their private GitHub repositories. To keep the paying customers happy the OAuth GitHub scope for the login button was changed to “repo,user:eamil”.

Not sure if that is the best solution. I’m open for suggestions and better solutions.

One thought on “Why the OAuth GitHub scope was changed

  1. I think I understand the problem. Maybe you could have two different buttons for GitHub login or maybe if the users click on the GitHub login button, they could select which scope to use on an intermediate page (and save this choise in a cookie).
    I realize that this is kind of a tricky problem and that a UX expert should be involved. But I think something should be done, because you shouldn’t be forcing users to open their private repos.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s