New GitHub Apps authorization page may irritate users


#1

Hi!

We just switched our site to use GitHub Apps instead of GitHub OAuth. We like a lot that it gives our users much more control over which repositories we can access.

However, we’re not directly talking to GitHub’s OAuth endpoint. Instead we’re using https://auth0.com/ in between. This has the negative effect that next to the green “Authorize Example Corp” button it says “Authorizing will redirect to http://example.auth0.com”. This can have a negative impact on the willingness of our users to accept this authorization. I’ll quote our CEO here:

This is not great. If I am a user (95% of which haven’t heard of Auth0), I might think any of the following things:

  • “auth0” sounds like a L33T SP34K name, and it isn’t example.com. Did Example Corp get hacked?
  • I’m going to check out auth0.com. Oh, it looks like a company that is collecting identities and data. Is Example Corp just a honeypot for some company to collect my identity and private data? (The auth0 homepage says stuff like “Transform your business with better engagement, improved conversion and increased revenue.” What does that have to do with Example Corp? Sounds spammy (since the user doesn’t know that it’s the auth provider)!)
  • I guess I can trust Example Corp, but I’m not sure about this auth0 company. They seem like a huge target.
  • Is Example Corp not big/smart enough to have their own auth endpoint? Is it a hackathon project?
    Yes, none of these are very rational, but it still looks bad.

So what can we do about this? In my opinion the OAuth redirection URL is an implementation detail, it is nothing that the user should see. I hope we can find a good solution for this. I’ll also get in touch with Auth0 to see what they think.

Best,
Richard


#2

Hey there Richard,

Thanks again for writing in and sharing your thoughts about the GitHub Apps feature! The team found your notes very helpful and offered some context around the way this was designed.

Our team wanted to let users make a more conscious decision when hitting the Authorize button. In terms of implementation, they built an interface including a callback URL in the Authorization page so users are more aware of where they are going after they leave GitHub.

They don’t have any plans on changing how it’s currently setup. However, they’re aware of your experiences and have considered them for future iterations of the feature.

I hope those insights help, but let me know if you have any other questions about this!

– Francis


#3

Hi Francis,

Thanks for your response. Seems like the only solution will be for Auth0 to support some kind of CNAME setup.

Best,
Richard