wg
wg copied to clipboard
rust-embedded
Lift OAuth restrictions to allow non-browser access
I’d like to use dedicated applications to simplify interaction with GH (GitHawk in this case), but it seems the org has OAuth restrictions in place which prevent certain write actions from those applications, e.g. commenting and adding labels. Is there any reason why we would want to prevent that?
@rust-embedded/resources
You should still be able to authenticate as an OAuth-enabled account using tokens.
@lafrenierejm Authentication works just fine, the problem seems to be that some actions are only allowed via webinterface but not via OAuth authenticated API.
I can't think of any reasons to disallow it, so long as it's still OAuth'd against your account. @japaric do you remember if there was a reason for this?
@adamgreig (or anyone who has permissions): you can fix this in https://github.com/organizations/rust-embedded/settings/oauth_application_policy
I'm not sure what the best course of action is here. Do people still want apps approved? It feels like only allowing approved apps to access organization data improves security, but given as the apps can only do what individuals with access could do anyway, perhaps that's not actually true. We have a handful of apps approved right now, like Docker Hub (no longer used), Homu, Coveralls, AppVeyor...
if all repos are public, what's the security risk in letting users use any apps the want, for example custom git clients?
The worry is some third party app is compromised (or is malicious, or is bought out, etc etc) -> has write access to widely used crates like embedded-hal and cortex-m -> sneaks a malicious commit in. I don't think it's hugely likely, but it does mean we're trusting not only the org members, but also all the apps they've logged in to.
true. I have no strong opinion then, either's fine by me.
We should make a decision whether to lift the restriction or not (or not yet), and close this issue.
I'm going with not yet, I've revoked some old applications (Travis... RIP), and if anyone wants a new application or thinks we should change the restrictions, please continue the discussion here.