Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Oauth scope (permissions) during github integration are excessive #2059

Open
brandonfranzke opened this issue Jan 23, 2024 · 3 comments
Open

Oauth scope (permissions) during github integration are excessive #2059

brandonfranzke opened this issue Jan 23, 2024 · 3 comments
Labels
Priority: Medium Type: Enhancement

Comments

@brandonfranzke
Copy link

brandonfranzke commented Jan 23, 2024
edited
Loading

I am testing github integration for several Autolab courses. Autolab is latest -- v2.12.0.

Docs claim a minimal set of permissions:

Git Submission works by having students performing OAuth with your Github
application in order to be granted access to access their private repositories.
Only the minimum set of permissions to achieve this is requested.

https://docs.autolabproject.com/features/git-submission/

But when I attempt to connect my git account with Oauth I am presented with an authorization request which looks like:

Repositories
Public and private
This application will be able to read and write all public and private repository data. This 
includes the following:

Code
Issues
Pull requests
Wikis
Settings
Webhooks and services
Deploy keys
Collaboration invites

Note: In addition to repository related resources, the repo scope also grants access to 
manage organization attributes and organization-owned resources including projects, 
invitations, team memberships and webhooks. This scope also grants the ability to 
manage projects owned by users.

Is this the intended "minimum set of permissions" to pull the tgz -- Read/Write/Manage looks like administrator scope at my organization level, *.*

I tested with a newly created non associated GitHub account just in case there was weirdness with the Oauth app and requesting user being in the same organization. Same result.

What permissions should this be requesting? Is there some flag or configuration I need to change to achieve a minimal permission request? Is there something I need to change about the GitHub app itself?
@brandonfranzke brandonfranzke changed the title Oauth permissions for github integration are excessive Oauth scope (permissions) during github integration are excessive Jan 23, 2024
@brandonfranzke
Copy link
Author

brandonfranzke commented Jan 23, 2024
edited
Loading

Upon investigation, may that truly is the minimal permission level -- wow

https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps

Any estimate for level of work to use personal access tokens?

https://github.com/settings/personal-access-tokens/new

https://docs.github.com/en/rest/orgs/personal-access-tokens?apiVersion=2022-11-28

Based on https://github.com/octokit/octokit.rb:

It looks like its just a 1-for-1 replacement with the existing OAtuth token. So even just a user field to "update" token might work, but it would be even better -- given the security implications -- to simply prompt -- "Personal Access Token" or "Oauth" (understand its not so simple in implementation, especially user facing.

@jlge
Copy link
Contributor

jlge commented Jan 24, 2024
edited
Loading

Thanks for the feature request! This is definitely a possibility we could look into—we'd need to integrate Github Apps to allow for more fine grained access so that would require some work on that end.

@brandonfranzke brandonfranzke mentioned this issue Jan 26, 2024
Open
6 tasks
@damianhxy
Copy link
Member

Related PRs #2060 #2061 -- to examine and adapt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Priority: Medium Type: Enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@damianhxy @brandonfranzke @jlge