Atom.io requesting Modify authorization


#1

Today when I tried to login to atom.io on my other computer’s browser I got an oauth screen on github saying that atom is requesting:

Organizations and teams

background: the company I work for has a few github.com organizations that we keep both public and private repos in. I use my github account for:

Personal (public open source + private)
Work (org) (public open source + private)

  1. I don’t want to give atom.io access to this org. Why can’t I opt out? Is there a way?
    (Ok, technically it’s run by github so maybe the same people have access to the other stuff anyway for all I know? Let’s put that aside)

  2. Why did they change this?

  3. I have the same issue with travis ci, so I’ve actually never set it up. I thought github made some changes recently to the org security model, but I still don’t see the option in the oauth screen to opt out.

  4. Should I just give up and split my work / personal accounts? Pretty much the only benefit I see for doing this is these 3rd party apps, there are probably several minor cons to doing to this.

(good thing i’m currently auth’d in on this laptop :smile:)


#2

To be honest, I don’t understand the interactions between OAuth and organizations that well either. But there is a GitHub help page on the subject. From what I can understand, the owner(s) of the organization can choose whether to allow members to authorize third-party applications access to organization information (the grandfathered default) or to restrict third-party applications access.

So I guess the short answer is, the owner of your organization needs to set the access restrictions.


#3

Yeah, that’s what I got from that too but I mean that’s problematic in the sense that what if I don’t trust those permissions. And it’s unclear what happens if they’re changed after the fact by the admin, for example got more lenient without the authorizer knowing.

It doesn’t make sense to me that all 3rd party apps security is the same. But what are you going to do.

Am I in the minority of users who use the same account for open source and work?

Again there’s also kind of the funny question of why atom.io needs (want) our organizations?


#4

Disclaimer: I am not an employee of GitHub nor a member of the Atom Core team. I’m just an enthusiastic volunteer.

You should probably check with GitHub Support on this … but … to my understanding, the token that is generated is tied with the permissions at the time of granting. So if the application starts asking for more permissions, the old tokens don’t get them retroactively.

It’s my understanding that GitHub made this change because they are:

  1. Enabling 3rd party apps to have differing security
  2. Not breaking 3rd party apps that you may have already authorized

I can’t answer this. I’ve worked for various large corporations for the past several years who generally didn’t allow open source work until very, very recently. My GitHub account is only my personal account, at least right now.

I’ll look into this and let you know as soon as I find out more. It might not be until after the holidays though because lots of my GitHub contacts are going to be on vacation here and there. Is that ok?


#5

Of course no rush! Thanks for your help.

Good points with regards to the security at token creation time.


#6

I have same question. May i don’t worry about this permission? My organization has private repositories.


#7

@Connormiha, thanks for bringing this up again. And I apologize @DavidLGoldberg for letting this go so long without circling back around.

I just took a look at the permissions that GitHub records me having granted to the Atom.io application:

Atom.io just wants to be able to see what orgs you belong to (teams goes along with orgs access currently). It needs this because there are some admin features that are available to members of certain teams within the https://github.com/atom org.

For more information, you can check out the available GitHub OAuth scopes here:

https://developer.github.com/v3/oauth/#scopes


#8

Sorry for not getting back to you, (been a while), but I actually never did accept the permissions :-\

Luckily, I just tried it again, and it only wanted my personal data it seemed. So maybe they changed it back? Thanks for the insight!

I wonder if travis-ci changed their access :stuck_out_tongue:


#9

Oops. I’m sorry, that was just for discuss.atom.io, not the atom.io/packages etc. That still requires the Org.


#10

From what I’ve seen since then, I believe atom.io/packages just requires the Org so that it can tell if you’re a member of the Atom organization or not :grinning:


#11

Hehe. That’s pretty funny.