I’m currently implementing a GitHub App, and ended up spending a fair bit of time considering using both OAuth (for login, including user email and orgs scopes) and App Installation (for fine grained permissions). I don’t think I’ll go down that route, but it’s taken a while to come to that conclusion.
Obtaining the user email frictionlessly on signup is one of the reasons for this, which a few folks on here have cited.
The other issue I have when using GitHub App for authenticating users is that the permissions that the App requests are not particularly intuitive:
I found this login really confusing both from a developer perspective and from a user perspective.
Developer-wise the page doesn’t reflect the app permissions that I’d be requesting at install, and it took quite a while before understanding why that made sense, and why login and installation are separate steps.
User-wise, the content doesn’t fit my expectations for what kind of permission grants I’d expect to see - “Resources” and “Actions” are really high level concepts, when really I all I want to know is that the App is requesting the absolute minimum necessary permissions to verify the user identity and perform login.
Given how important frictionless on-boarding is it’d be great to see if there’s any scope for changing the UI there, or internally taking a look at what ratio of users successfully sign through on those pages vs. signing through a comparably minimal OAuth sign-in.
Thanks so much!