Skip to content
This repository has been archived by the owner on Apr 17, 2023. It is now read-only.

Github OAuth permissions too demanding #1790

Closed
joshsouza opened this issue Apr 18, 2018 · 4 comments
Closed

Github OAuth permissions too demanding #1790

joshsouza opened this issue Apr 18, 2018 · 4 comments
Labels
documentation enhancement

Comments

@joshsouza
Copy link

Description

When enabling the Github OAuth integration, Portus requests:

  • Read org and team membership (Sensible)
  • Update all user data (Overly permissive)

Can we either get documentation on why Portus needs to have access to write user data (this can include things like SSH keys, which is a potential security problem), or can it be adjusted to be read-only, and only use the minimum necessary for authentication?

Steps to reproduce

  1. Enable GitHub OAuth integration
  2. Log in using GitHub integration for the first time
  3. Observe the requested permissions
  • Expected behavior: I expect only read access to org/team/user data
  • Actual behavior: Write access to user data requested

Portus version: 2.3.1@a4ca664b9c30c7a464296297d1868ba301d791cf
@Vad1mo
Copy link
Contributor

Vad1mo commented Apr 18, 2018

This is currently requested:

{ scope: "user,read:org" }

Looking at the docs
read:org | Read-only access to organization, teams, and membership. This is mandatory for providing access to only certain members in a groupd.

Regarding the user scope, we might get away with read:user or/and user:email if one or both are needed.

@joshsouza
Copy link
Author

It'd be great if we could update it to just read:user and user:email. Definitely would appease our security reviewers.

mssola added a commit to mssola/Portus that referenced this issue Apr 27, 2018
@mssola
devise: use a more fine-grained scope for Github
49c6aef 
We didn't need `user`, but just `read:user` and `user:email`.

Fixes SUSE#1790

Signed-off-by: Miquel Sabaté Solà <[email protected]>
@mssola mssola mentioned this issue Apr 27, 2018
Merged
mssola added a commit that referenced this issue Apr 27, 2018
@mssola
devise: use a more fine-grained scope for Github
dc769ad 
We didn't need `user`, but just `read:user` and `user:email`.

Fixes #1790

Signed-off-by: Miquel Sabaté Solà <[email protected]>
@mssola
Copy link
Collaborator

mssola commented Apr 27, 2018

@joshsouza fixed with #1800 and cherry-picked into the v2.3 branch (we will roll out these changes into the Docker image shortly). Thanks about noticing these kinds of things 👍

@joshsouza
Copy link
Author

Thanks for the quick response!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
documentation enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mssola @Vad1mo @joshsouza