[Feature request] Increased granularity in OAuth scopes

Hi,

We want to request a feature enabling us to attach a list of repositories to the public_repo OAuth scope. Since we don’t know the username before the user logs in, we would need to specify, for instance, orgname/reponame,reponame, where the latter one would imply the repository is under the user’s own namespace.

To explain our particular use case - we run a CTF competition that uses a Git repository as a public ledger of submissions (source code at https://github.com/pwn2winctf/NIZKCTF-js). Currently, users log in using the public_repo OAuth scope. Despite the application being open source, users do not have time to audit its source code and complain about having to give write access to all their public repositories.

This issue would be solved if the OAuth scopes were more granular. In our case, the application would need the following permissions:

  • Fork a specific repository (e.g., pwn2winctf/2020submissions) to the user’s account.
  • Write access to a specific public repository (username/2020submissions).
  • Making pull requests from a specific repository (username/2020submissions) to its upstream.

We kindly ask you to consider implementing this feature request and hope to contribute back by engaging the information security community in using GitHub even more.

Thank you.

2 Likes

:wave: @thotypous –– welcome to our GitHub Community Forum and thanks for sharing your request and use case here!

We can confirm that there’s not a more granular OAuth scope for choosing a subset of repositories within the public_repo scope. We understand that you don’t want to ask your users for permissions you don’t need, and neither do users want to grant you those permissions. In some cases, this might even prevent users from using your application.

It’s a very important topic and we’re glad you’re bringing it up with us. Providing more granular OAuth scopes is already the biggest blip on the API team’s radar and it’s something we’d love to do. However, we can’t make promises about if and when the scopes you wished for might be available – the API team is rolling out additional scopes as they are completed.

Would you mind submitting this through our official product feedback form so that our product team can track your request?

The best way to keep track of changes is to follow the API blog, and ping us if you have any questions about the available scopes:

As an alternative to using OAuth Apps, you and your team may want to consider using GitHub Apps. GitHub Apps can be installed directly on organizations and user accounts and granted access to specific repositories. They come with built-in webhooks and narrow, specific permissions.

Given you and your team’s use case, one approach you can take is creating a GitHub app with the following permissions (read and write):

Our team created this excellent quickstart guide to GitHub Apps that might be of interest:

We hope this helps!

1 Like