GitHub Single-Sign-On permissions: technical note

A short technical note on GitHub OAuth2 permissions.

GitHub authorises access to data using a relatively standardised process called OAuth2. This has the concepts of scopes - essentially groups of related bits of information that you, the user, can choose to let GitHub share with applications like CTX.

The CTX Single Sign On GitHub application needs the scopes read:org and read:user, which are used to let CTX see who you are and which organisations you belong top - essential for login!

A - GitHub scopes

Neither of these gives permissions to read or write the contents of any of your repositories, only to read your profile and the profiles (not data) of the orgs of which you are a member.

This is - sort of - shown in the GitHub auth screen, where it lists the things it asks for at the top (but doesn’t tell you what it’s not asking for…)

Secondly, when GitHub presents the list of organisations (with ticks, Request, or Grant) buttons in the screen you reached, that’s actually driven by the list of orgs you’re a member of.

CTX can’t request permissions on only a subset of organisations, in GitHub land you either ask for everything or nothing. Docs for available scopes.

There are a number of issues raised against the GitHub API to provide more granular permissions, and the response is, universally, “sometime”.

The thing that drives the state of those orgs in the auth dialog (tick, Request, Grant etc) is an organisation setting that needs to be applied to each org in the GitHub admin.

GitHub access policy

If your org doesn’t have the Restriction option turned on​, GitHub will default to allowing applications (like CTX) access to the org data without letting you Request, Deny or Grant access.

You’d need to switch this on (it’s off by default, because of some fairly odd side effects) for each org, in order for them not to be green ticks in the auth screen.

As you can see, the available options are complex.

The key takeaway from this article is - CTX only needs to identify you and see which organisations you’re a member of. CTX will not export any information (or even read it) when signing-in with GitHub.