Feedback on GitHub App authentication flow


#1

Hi folks,

I’m currently implementing a GitHub App, and ended up spending a fair bit of time considering using both OAuth (for login, including user email and orgs scopes) and App Installation (for fine grained permissions). I don’t think I’ll go down that route, but it’s taken a while to come to that conclusion.

Obtaining the user email frictionlessly on signup is one of the reasons for this, which a few folks on here have cited.

The other issue I have when using GitHub App for authenticating users is that the permissions that the App requests are not particularly intuitive:

I found this login really confusing both from a developer perspective and from a user perspective.

Developer-wise the page doesn’t reflect the app permissions that I’d be requesting at install, and it took quite a while before understanding why that made sense, and why login and installation are separate steps.

User-wise, the content doesn’t fit my expectations for what kind of permission grants I’d expect to see - “Resources” and “Actions” are really high level concepts, when really I all I want to know is that the App is requesting the absolute minimum necessary permissions to verify the user identity and perform login.

Given how important frictionless on-boarding is it’d be great to see if there’s any scope for changing the UI there, or internally taking a look at what ratio of users successfully sign through on those pages vs. signing through a comparably minimal OAuth sign-in.

Thanks so much!

Tom


#2

:wave: @tomchristie,

Thanks for the feedback and outlining your concerns, especially around clarifying that the app is requesting minimal permissions. I agree that’s important.

We are currently thinking about the UX around this page and flow. We don’t have any improvements in the works at the moment, but these thoughts have been added to our considerations.