OAuth and private email address

I wanted to post a followup on this email:

Concerning: https://github.com/settings/emails
It is not clear which email address is shared when an app using “Login with Github” asks for permission to read your private email address when you have selected “Keep my email address private”

Which email address is shared with this functionality?

  1. Your primary email address as set in your settings.
  2. The email address mentioned inside the explanation of “Keep my email address private”.

Please answer and enhance the text on your settings page accordingly…
At moment i am declining to use ANY app that wants to read my private email address in this way.

Concerning: https://github.com/settings/emails
It is not clear which email address is shared when an app using “Login with Github” asks for permission to read your private email address when you have selected “Keep my email address private”

Which email address is shared with this functionality?

  1. Your primary email address as set in your settings.
  2. The email address mentioned inside the explanation of “Keep my email address private”.

Please answer and enhance the text on your settings page accordingly…
At moment i am declining to use ANY app that wants to read my private email address in this way.

Hi there,

Thanks for reaching out.

The Keep my email address private setting applies to keeping your personal email address private when committing on GitHub as described here:

https://help.github.com/articles/about-commit-email-addresses/

However, if an OAuth application requests access to your user’s email addresses, it will be able to read your private email addresses once authorized with that scope. Our team wrote more about this scope (user:email) here:

https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/

You also mentioned:

Please answer and enhance the text on your settings page accordingly…

Thanks for the feedback – we’ve let the team know.

If you have any other follow-up questions about the GitHub API, OAuth Apps, or GitHub Apps, we recommend checking out our Community team recently opened a new GitHub API Development and Support Board:

https://github.community/t5/GitHub-API-Development-and/bd-p/api

All the best,
GitHub Staff

Could we then at least get an option in both the account settings and OAuth dialog to choose which email address to share with an application?
Eg.: Share private email or anonymized email.

Ofcourse this selection should be hidden from the app doing OAuth without it being able to insist on the private email address !

6 Likes

Hi @trimoon,

Thanks for this feedback and taking part in the Community Forum! We’re always working to improve GitHub, and we consider every suggestion we receive. I’ve logged your feedback and feature request internally. Though I can’t guarantee anything or share a timeline for this, I can tell you that it’s been shared with the appropriate teams for consideration.

Cheers!

1 Like

+1 to this feature request.  A site I wanted to use asked me to “Sign in with Github”, but I refused to authorize it because of this issue.  I am content to share my Github username with the site, but not my private email address.

2 Likes

I believe this will be a nice feature. I have linked multiple email addresses to make sure I can recover my access in case of accidents, but I don’t want to share all of those addresses. 

It will be even better if the 

id+username@users.noreply.github.com

address can forward incoming emails to the user’s personal email address, like what “sign in with apple id” is doing. 

1 Like

Seriously, this. It’s just good security practice to limit information sharing to a need-to-know minimum.
If Oauth requires sharing your private email, “signing up with GitHub” is almost entirely devoid of value, offering only 1 less password to enter–we have password managers for that.
Private email obfuscation is a basic feature today, and one not provided by password managers.
It shouldn’t take years to implement.

Also, the text on the settings page is still ambiguous as of 2022年06月23日
which is how I found myself here, searching for answers.

Is there anything we as the community can do to help get a fix rolled out?
A lot of us on the platform are devs cough cough we could fix it for your designated team if they’re strapped cough

For emphasis, it’s been almost 4 years since the last response on this from @nadiajoyce (thank you by the way–better than nothing). Have there been any developments GitHub side on this issue since?