GitHub App installation "act on your behalf" warning #37117
Replies: 44 comments 24 replies
-
Relevant issue which seems to be top on Google searches: cirruslabs/cirrus-ci-docs#751 |
Beta Was this translation helpful? Give feedback.
-
Would be very interested in seeing a resolution to this - the prompt below is too scary to agree to |
Beta Was this translation helpful? Give feedback.
-
Hi there @nehzata and welcome to our community! Thank you for asking a great question 🙂 |
Beta Was this translation helpful? Give feedback.
-
@martinwoodward Sorry for pinging like this. Could you please assist? |
Beta Was this translation helpful? Give feedback.
-
Hey all, Would updating the permissions individually to explain the permission make more sense? E.g. "Open and close issues in your name" or "Open and close issues using your identity"? Neither is immediately clear that everyone else will see you closing those issues. |
Beta Was this translation helpful? Give feedback.
-
@hpsin thanks for responding to this! Yes that would be great but I worry that it's going to take a long time to implement. Can I also suggest for now changing the warning to read "May be able to act on your behalf" and updating the docs behind the "Learn more" link? The wording in the linked docs further reinforces the the wrong impression. |
Beta Was this translation helpful? Give feedback.
-
As a maintainer I had to think long and hard about allowing this dialouge, check the source of the app to see if it was legit and vet the background of the author a bit as it doesn't say what it can do on my behalf, this message should definietly explain the scope of what the app can do, and allow us to limit that scope. |
Beta Was this translation helpful? Give feedback.
-
as for me, it's just a generic message from GitHub, what you can do is to put the complete information about your app in README and any other possible site for the users |
Beta Was this translation helpful? Give feedback.
-
I get this with an app that has 0 permissions requested. I would expect that for an app with 0 permissions requested, only the first of the following 3 messages would appear in the authorize UI.
Verify your GitHub identity (coryvirok)✅ This makes sense me as a developer as well as a consumer of an app that is requesting 0 permissions. The very fact that I'm adding the app to my GitHub account in order to provide SSO to my site would mean that my site is going to be able to verify my identity on GitHub. Know which resources you can access❌ This doesn't make sense to show for a GitHub app since the user is going to be able to select which resources the app has access to. Meaning, the app will only be able to know which resources belong to the user if the user selects them. As a user of the app, this makes me wonder if the app is able to see resources outside of the ones I've selected. Act on your behalf❌ This doesn't make sense to show unless there is some sort of a If at all possible, I'd like to never use a user-to-server token which would mean my app would always interact with GitHub using the installation token. Which means I would never be acting on the user's behalf. |
Beta Was this translation helpful? Give feedback.
-
Is there any update on this? I have a simple GitHub Application that asks for read-only information to public data just to hit the GitHub API with authentication (to avoid the public rate limit) and users are asking why the app says it can "Act on your behalf." |
Beta Was this translation helpful? Give feedback.
-
Bump on this thread. Any update from the GitHub team? Going by @p0358's comment above, the current messaging encourages devs to build an oauth app instead of GitHub app. Yet all over the docs GitHub has plastered the message asking us to consider moving away from Oauth apps |
Beta Was this translation helpful? Give feedback.
-
I can't believe this phrasing is still there. Number one reason why users do not go through that first screen, even though I have zero permissions to act on their behalf. I suspect that's the reason why many companies use 2 GitHub flows: one for authorising/identifying the user using an OAuth app (which doesn't have this crazy warning), and a second one which goes through a GitHub App when permissions are needed on repositories (because we can take advantage of the better granularity here). But that's not what I would call a good dev UX. |
Beta Was this translation helpful? Give feedback.
This comment was marked as off-topic.
This comment was marked as off-topic.
-
With only read permissions set on our app, showing this warning is a bug. |
Beta Was this translation helpful? Give feedback.
-
I can't believe this is still an issue. This is definitely a bug, the interface is showing incorrect and misleading information to the user. This creates lots of problems in the context of a security aware company since all users will report a non-issue |
Beta Was this translation helpful? Give feedback.
-
2024 and is still a problem this.. sad. |
Beta Was this translation helpful? Give feedback.
-
I wonder if this will ever get fixed? |
Beta Was this translation helpful? Give feedback.
-
someone asked about this today, too bad this is the result |
Beta Was this translation helpful? Give feedback.
-
🕒 Discussion Activity Reminder 🕒 This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions: 1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as 2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own. 3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution. Note: This dormant notification will only apply to Discussions with the Thank you for helping bring this Discussion to a resolution! 💬 |
Beta Was this translation helpful? Give feedback.
-
up! 2024 |
Beta Was this translation helpful? Give feedback.
-
bump, still an issue |
Beta Was this translation helpful? Give feedback.
-
Bumping, still an issue |
Beta Was this translation helpful? Give feedback.
-
bump, still a issue |
Beta Was this translation helpful? Give feedback.
-
Any update on the issue? |
Beta Was this translation helpful? Give feedback.
-
Facing the same. |
Beta Was this translation helpful? Give feedback.
-
As we approach the 2nd anniversary of this issue, and the 6th anniversary of Microsoft's acquisition of GitHub, it is important to remember that GitHub Microsoft does not care. But hey, at least it will be 2025 soon, and we can tack on another year of indifference! |
Beta Was this translation helpful? Give feedback.
-
Apparently it's more clear when you use an org |
Beta Was this translation helpful? Give feedback.
-
OK, I was very confused and had to dig into this thread to understand what that could mean. Pls just remove :) |
Beta Was this translation helpful? Give feedback.
-
It's very sad that this is still an open issue, motivated by @hichemfantar's screenshot I spent a couple minutes searching and trying to repro the same result (as purely adding the app to an organization doesn't work) and luckily (or not) I've found the workaround. Unfortunately, it works only for apps that are used purely for authentication (e.g., an OAuth App). For that, when creating the app, pick the "OAuth Apps" option under the "Developer Settings" instead of the regular "GitHub Apps." |
Beta Was this translation helpful? Give feedback.
-
Hi,
I have an app configured with read-only access to user's email address, read-only metadata access & read-only repository content access.
When users try to install the app though they are warned that my app will "Act on your behalf", which is leading to a very negative user experience. Is there anything I can do? Is it something I've done wrong? Can I reconfigure the app in any way to remove this warning?
The number one question I'm currently getting is "Why does your app need to act on my behalf?"
Thanks in advance!
Ali,
Beta Was this translation helpful? Give feedback.
All reactions