Why does this forum need permission to act on my behalf?

What does “Act on my behalf” mean? Can you buy things on my behalf? Marry me on my behalf? Have someone assassinated on my behalf? Delete all my repos on my behalf? Insert trojans in all my code on my behlf?

Why does this forum need that permission at all?

Similarly what does “Know which resources you access” mean? and why does this forum need that permission?

6 Likes

Hello, thanks for reaching out and welcome to the community!

We’re using a GitHub App to allow for people to sign in to the GitHub Support Community. In order to do this and provide the information that the Support Community forum software needs, we’ve configured it to be able to:

  1. Verify your identity
  2. Request read-only access to your account’s email address

Because of the way GitHub Apps work for this sign-in-as scenario (or other user-to-server applications), it has the ability to act on your behalf or know which resources you can access, but only within the scope of the permissions we’ve requested, in other words verifying your identity and reading your account’s email address.

We understand that this is poorly and confusingly worded for this kind of scenario. We’ve given this feedback to the team that is responsible for how this dialog is designed. We’ll be working with them to improve it to hopefully make it more clear and understandable as to what exactly is being requested so that you can be more confident in the decision you’re being asked to make.

Let us know if you have more questions.

6 Likes

Thank you, this is a scary sounding permission. It affects everyone building a GitHub App to use as an authentication provider.

It seems to me the only thing needed in the prompt is what an app has access to: “Resources on your account”

Not the top part which is confusing and sounds like it has a lot more permissions: “Verify your GitHub identity, Know which resources you can access, Act on your behalf

2 Likes

why does it need to know which resources I can access? AFAIK all it needs is my identity to let me log into a discourse forum.

The forum doesn’t need to know which resources you can access.

As part of the design of the security flow, however, we feel it is important to point out that when granting any permission to an external tool or system, it could be used to determine which resources you can access within the scope of the permission granted.

2 Likes

The forum doesn’t need to know which resources you can access.

As part of the design of the security flow, however, we feel it is important to point out that when granting any permission to an external tool or system, it could be used to determine which resources you can access within the scope of the permission granted.

I don’t understand. If the forum doesn’t need to know which resources I can access then why is that permission displayed. No other discourse forum that allows signing in with github asks for anything more than “Verify your github identity”

So, if the forum doesn’t need to know why is it asking for these permissions?

This is a difference between the old OAuth security system and the new GitHub App security system. The other Discourse forums that you’re using are still using the OAuth system.

The fact that it could be used to determine which resources you have access to is a side effect. Think of it like this: if you give a friend a key to the front door of your house, then they can get in to your house to water your plants while you’re on vacation. But they could also use that key to check if it works in your car, your mailbox, your shed in your backyard, your front door, your back door, etc. But you only gave them the key for the front door. So as a side effect of you giving your friend the key to your house, they now know the key you gave them can only access the front door. But if you, for convenience, made the same key open the front door, the back door, and the shed then they would know that too. It’s simply the nature of how keys work.

Or maybe, because they’re your friend and they just want to water your plants, they never check to see if the key works in anything but the front door. But you’ve entrusted them with the ability to find out if the key works in other locks.

In designing the new GitHub App security authorization flow, our security team thought it was important to be as transparent as possible so you know exactly what you’re signing up for.

Except you’re not being remotely transparent.

you still haven’t said why you need that permission. There is no technical reason you can’t design the system to only need identity info. The fact that you chose to use 2 more opaque permissions is not “being transparent”. It’s been opaque since there is no valid reason to need those permissions to run this forum and your excuses sound just like that, excuses.

I still don’t know why you need those permissions. Saying “btw, we have these permissions” is not an answer to “why do you need these permissions”.

The key analogy is more like you saying you need a copy of the key to my mailbox to get my mail while I’m on vacation and then you tell me “oh, we also copied your car keys and your house keys too”. My answer would be “give those keys back immediately, you have no need for them” and then I’d change my locks. I wouldn’t accept an answer “well we told you we copied 2 keys that we had no business copying but hey it’s okay because we told you we made copies”.

The key analog is more like me trying to sign up for a service to collect my mail while I’m on vacation and they informing me they not only need the key to my post office box, they also need the keys to my house and my car. That would be ridiculous. I wouldn’t accept as an answer to “why do you need my house and car keys to collect the mail from my post office box?” as “we just wanted you to know we need copies of your house and car key for no reason, that’s just the way it is, our service requires those keys”… WAT?!

1 Like

Interesting conversation. I do agree that the wording could have been chosen better, or that some sort of additional info should be made available for that broadly generic “acting on you behalf” clause — e.g. in a balloon popup when hovering, or via a link to page explaining it in detail.

On the other hand, I didn’t really think much of it when I saw it during registration, the reason being that its purpose is clearly that of connecting the GitHub Community account to the main GitHub account. Since both services are provided by the same company (GitHub Inc.) I saw it as being merely some legal requirement on their side.

Needless to say, others might consider “legally suspicious” the request for the same reason — i.e. since the two accounts are handled by the same organization why asking for that specific permission? And, possibly, could this permission have effects also on the main GitHub account?

Personally, I actually appreciated the fact that I was being informed and asked permission to join the two accounts, and that this wasn’t simply done “auto-magically” behind my back — like it often happens with big corporations that provide many different services. But I’ve signed up using my personal GH account, and if I were using a company employer account I probably wouldn’t have consented to that without consulting the firm’s lawyer first.

Having said that, asking users to grant permission to “Act on your behalf” is indeed a rather perplexing request — and probably it might have turned away lots of potential users who , on reading that, didn’t consent and turned away. Chances are that there is no way to know this, since most of those who were deterred by that clause are unlikely to leave feedback about it.

3 Likes

lee-dohm
when granting any permission to an external tool or system, it could be used to determine which resources you can access within the scope of the permission granted.

Could you explain what that means in this specific case?

Does it mean that the system could determine that the user has access to their own email address? Nothing more than that? If that’s the case the warning seems excessive. It would make sense in other cases like repo access, but here it’s just unnecessarily alarming.

Yes, in this specific case it means that the system could determine that the user has access to the email address that is configured in their account.