Authorizing users via GitHub app, missing user emails.

We’ve recently switched from an Oauth app to GitHub app for everything, including authenticating in.

We noticed that most of the time the user email comes in as nil/undefined. Not all, however, but majority.

Any one have an idea of why we could be missing user emails? Do we need a certain setting enabled in our GitHub app configuration? Or do emails not get exposed when user authenticates with our GitHub app? If so, what can we do to regain access to emails?

There’s “Emails” entry in the GitHub App settings under “Permissions & events” -> “User permissions”. I think, you should set it to read-only.

Thanks for the reply! I believe the “Emails” permission setting is for accessing user emails via the API call.

To clarify, I’m talking about when the user first authorizes/signs-in via the GitHub app, there’s information about the user we get from GitHub (in our case, omniauth.auth in the Rails request hash). What’s odd, is we still get emails for some users after the login, but for most emails are missing. This seems to have started happening after we switched from Oauth app to GitHub app (early June, if some additional GitHub feature was released at that time).

I also noticed that GitHub now has a Keep my email address private setting in but it seems to be unchecked (by default?), unless the user takes action. I suspect that isn’t the cause, as it’s unlikely most of our users enabled that option suddenly.

If anyone comes across this, I got some help from GitHub via another channel. Here’s the gist:

The omniauth-github gem that I’m using is depending on OAuth scopes to determine if it should ask for user emails:

def email_access_allowed?
return false unless options['scope']
email_scopes = ['user', 'user:email']
scopes = options['scope'].split(',')
(scopes & email_scopes).any?

If it doesn’t find the oauth scope it relies on the email found in the user profile which is a different user setting that defaults to not selected. A workaround to this would be to configure omniauth to request user:emailscope. It will be ignored by GitHub as GitHub Apps don’t use scopes but it would trigger omniauth to hit the user/emails API. Still need to request the user emails permission mentioned in this forum post.

1 Like