che
che copied to clipboard
eclipse-che
Can't opt out of giving Che OAuth access to GitHub, even for public repos
Describe the bug
Since https://github.com/eclipse-che/che-server/pull/301, Che will always prompt for OAuth access and use this if granted to simplify user setup. However, Che will refuse to start workspaces from public GitHub repos unless full read/write access is granted, even for public repos. If a user doesn't want to grant this access to Che, the workspace start fails with a plaintext page that says
Authentication failed: access_denied
Che version
next (development version)
Steps to reproduce
- Attempt to open factory url from github, e.g. https://github.com/che-samples/golang-example/tree/devfilev2
Expected behavior
If OAuth isn't granted, Che should fall back to an unauthenticated flow.
Runtime
OpenShift
Screenshots
Installation method
OperatorHub
Environment
Linux
Eclipse Che Logs
No response
Additional context
Original issue: https://github.com/eclipse/che/issues/21346
Hello, setting as P2 for now. Note sure how to handle the bug. Because I assume https://github.com/eclipse/che/issues/20583 means that if oAuth is there then you need to accept the privileges to continue. The whole story is to be authenticated as soon as you're using the product using oAuth.
cc @l0rd for adjusting the priority
This issue has been associated to this Dev Spaces issue but my understanding is this issue is about a Che cluster where OAuth has been configured whereas CRW-3201 is about a Dev Spaces cluster where OAuth has NOT been configured.
For this particular issue: we have sacrificed the UX for users that won't trust Che (a minority I hope) to improve the UX for users that want to git push from their workspace (the majority I hope). So all in all we have made some progress.
And yes, it would be cool to fix the problem for those that won't trust Che but:
- the fix we should not affect the UX of those that want to
git pushfrom a workspace - a workaround exist: create a secret with the personal access token
