We just switched our site to use GitHub Apps instead of GitHub OAuth. We like a lot that it gives our users much more control over which repositories we can access.
However, we’re not directly talking to GitHub’s OAuth endpoint. Instead we’re using https://auth0.com/ in between. This has the negative effect that next to the green “Authorize Example Corp” button it says “Authorizing will redirect to http://example.auth0.com”. This can have a negative impact on the willingness of our users to accept this authorization. I’ll quote our CEO here:
This is not great. If I am a user (95% of which haven’t heard of Auth0), I might think any of the following things:
- “auth0” sounds like a L33T SP34K name, and it isn’t example.com. Did Example Corp get hacked?
- I’m going to check out auth0.com. Oh, it looks like a company that is collecting identities and data. Is Example Corp just a honeypot for some company to collect my identity and private data? (The auth0 homepage says stuff like “Transform your business with better engagement, improved conversion and increased revenue.” What does that have to do with Example Corp? Sounds spammy (since the user doesn’t know that it’s the auth provider)!)
- I guess I can trust Example Corp, but I’m not sure about this auth0 company. They seem like a huge target.
- Is Example Corp not big/smart enough to have their own auth endpoint? Is it a hackathon project?
Yes, none of these are very rational, but it still looks bad.
So what can we do about this? In my opinion the OAuth redirection URL is an implementation detail, it is nothing that the user should see. I hope we can find a good solution for this. I’ll also get in touch with Auth0 to see what they think.