Whether we use pure OAuth or GitHub App authorization, you’re granting the same access. The only difference is in the wording of the notification which makes what you’re granting explicit in the case of GitHub App authorization but remains implicit in the case of OAuth.
What things can an app “do on my behalf” with only “user:email” scope? And what’s an example of “Know which resources you can access” with only “user:email” scope?
As I’ve stated before …
Any OAuth token with any combination of scopes can be used by an app to verify your identity on your behalf, that’s why you want to use it for logging in to forums.
An app can determine which email addresses that you have configured on your GitHub account, therefore the app will know what email address you can access.
This is going around in circles. Can we talk to your manager? You seem like the front line customer service rep who keeps repeating what’s in the response database instead of actually listening to what we’re saying.
If all it’s doing is getting our email address then the Oauth wording is perfectly fine and the github auth wording is idiotic and misleading. If the github auth actually does give more permissions then please enumerate them.
@greggman Thanks for being here and for taking the time to share your feedback. @lee-dohm has essentially in depth described the reasoning behind this, I’m sorry this is not a satisfying enough answer, at this time there is nothing else to add.
Please know we value our users and every single piece of feedback whether it be a feature request, accolade or concern about an existing feature is expediently submitted to our team for review and consideration. I’m closing this thread for now and as soon and when I have an update to provide in regard to your request, I’ll post it here .
Thanks again for being here, asking thoughtful questions and helping our community grow.