oauth2-github icon indicating copy to clipboard operation
oauth2-github copied to clipboard

Published 20 hours ago verified publisher icon thephpleague

Lessen required scopes

Open dpi opened this issue 2 years ago • 4 comments

Calling \League\OAuth2\Client\Provider\AbstractProvider::getResourceOwner in certain circumstances throws an exception.

When only the 'read:user' scope is configured and the authenticating user does not have a public email, eventually \League\OAuth2\Client\Provider\Github::fetchResourceOwnerDetails is called. The initial response has a $response['email'] = null. This eventually leads to another request to the /emails endpoint. However this endpoint won't load due to the configured scopes.

The following exception is thrown while trying to fulfill the request:

\League\OAuth2\Client\Provider\Exception\GithubIdentityProviderException

Code: 404 Message: {"message":"Not Found","documentation_url":"https://docs.github.com/rest/reference/users#list-email-addresses-for-the-authenticated-user"}

It should be possible to match scopes required to load this endpoint before attempting. As far as I can tell the response doesn't necessarily require emails. Scopes needed: user or user:email per https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes + https://docs.github.com/en/rest/users/emails?apiVersion=2022-11-28#list-email-addresses-for-the-authenticated-user.

The relevant lines for resolving emails were modified in the last 6 months.

dpi avatar Apr 30 '23 11:04 dpi

Looks like the relevant recently modified files from #20 #22 lead to this change, perhaps intentionally.

I should be able to use this project without emails?

My desire is to claim that my integration does not collect emails, such that I don't need to have extensive privacy policies and get into less trouble with increasingly common data collection laws.

dpi avatar Apr 30 '23 11:04 dpi

That is a valid request. TBH, I haven't looked over the relevant changes that closely, but it certainly seems that we have drifted into territory where email has become a (soft) requirement.

If you would like to put together a PR, that would be appreciated. Otherwise, I will get to this when I have free time.

shadowhand avatar May 01 '23 12:05 shadowhand

Posted https://github.com/thephpleague/oauth2-github/pull/25 for further discussion

dpi avatar Apr 25 '24 09:04 dpi

Running into the same problem. Having the email as hard requirement (not so soft when an exception is thrown) is not great in terms of privacy etc.

@shadowhand any update whether this introduced requirement can be reverted again? Thanks for your work.

distantnative avatar Jul 09 '24 11:07 distantnative

I ran into the same issue, while trying to access a Github user profile without public email address.

During debugging, I recognized that the root cause for this issue is a type in the default scope:

In (#26), I provided a pullrequest , which fixes this issue.

Jefferson49 avatar Aug 31 '24 05:08 Jefferson49

Fixed in version 3.1.1.

shadowhand avatar Sep 03 '24 10:09 shadowhand