developer.github.com/content/changes/2013-10-04-oauth-changes-coming.html at pagination-sweep · github/developer.github.com · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
---
kind: change
title: OAuth changes coming
created_at: 2013-10-04
author_name: tclem
---

Starting today, we are returning granted scopes as part of the
[access_token response](/v3/oauth/#github-redirects-back-to-your-site).
For example, if you are making a POST with the `application/json`
mime-type you'll see an additional field for the granted scopes.

<pre><code class="language-javascript">
{
  "access_token":"e72e16c7e42f292c6912e7710c838347ae178b4a",
  "scope":"repo,gist",
  "token_type":"bearer"
}
</code></pre>

Right now, these scopes will be identical to what you requested, but we
are moving towards a feature set that will allow GitHub users to edit
their scopes, effectively granting your application less access than you
originally requested. You should be aware of this possibility and adjust
your application behavior accordingly.

Some things to watch out for and keep in mind:

- Most third party applications using GitHub OAuth to identify users have
the best success in adoption by starting out with a request for the
minimum access that the application can possibly get away with.
Something like no scopes or just `user:email` is very sane.

- It is important to handle the error cases where a user chooses to
grant you less access than you originally requested. Now that we are
surfacing the granted scopes on the access_token response, applications
can warn or otherwise communicate with their users that they will see
reduced functionality or be unable to perform some actions.

- Applications can always send users back through the flow again to get
additional permission, but don't forget that users can always say no.