Why does this forum need permission to act on my behalf?

What does “Act on my behalf” mean? Can you buy things on my behalf? Marry me on my behalf? Have someone assassinated on my behalf? Delete all my repos on my behalf? Insert trojans in all my code on my behlf?

Why does this forum need that permission at all?

Similarly what does “Know which resources you access” mean? and why does this forum need that permission?

Hello, thanks for reaching out and welcome to the community!

We’re using a GitHub App to allow for people to sign in to the GitHub Support Community. In order to do this and provide the information that the Support Community forum software needs, we’ve configured it to be able to:

  1. Verify your identity
  2. Request read-only access to your account’s email address

Because of the way GitHub Apps work for this sign-in-as scenario (or other user-to-server applications), it has the ability to act on your behalf or know which resources you can access, but only within the scope of the permissions we’ve requested, in other words verifying your identity and reading your account’s email address.

We understand that this is poorly and confusingly worded for this kind of scenario. We’ve given this feedback to the team that is responsible for how this dialog is designed. We’ll be working with them to improve it to hopefully make it more clear and understandable as to what exactly is being requested so that you can be more confident in the decision you’re being asked to make.

Let us know if you have more questions.

2 Likes

Thank you, this is a scary sounding permission. It affects everyone building a GitHub App to use as an authentication provider.

It seems to me the only thing needed in the prompt is what an app has access to: “Resources on your account”

Not the top part which is confusing and sounds like it has a lot more permissions: “Verify your GitHub identity, Know which resources you can access, Act on your behalf