Selectively showing "act on your behalf" warning for GitHub Apps is in public preview

[moraesc]

Today we've released an update to the consent page to be less alarming when using GitHub Apps only as a form of sign-in. The consent page for GitHub Apps, where a user decides whether to authorize an app or not, has been updated to only show the "Act on your behalf" note if the app is going to access resources or make writes on the user's behalf.

Many GitHub Apps sign in users as a sign in service. They don't actually access any data on GitHub, they just want to know who the user is as the basis for an account system. We found that upwards of 50% of application authorizations were of this nature—only requesting the ability to read user profile data. In all of these cases, the user signing in was met with a warning that the app would be allowed to act on behalf of the user, followed by a list of permissions they'd be able to leverage. When the app was asking to read the user's profile, this was confusing to the end user; what else would the app be allowed be allowed to do? This confusion resulted in support tickets for developers and users choosing not to sign in because they thought it was a security risk.

This change removes the "Act on your behalf" note in the consent page if the app is requesting only read permissions against the user account itself. If the app is requesting any kind of repository, organization, or enterprise permission (read or write) then the note still appears. This allows applications to sign in users and get their profile information and email addresses (if requested) without undue alarm.

Before

After

If you have any thoughts or comments, feel free to drop a message below!

[jsoref]

"Know which resources you can access" is interesting.

Can I not give it a list of all things I can access? I really just want to let it know that I control https://github.com/jsoref/

• GitHub App installation "act on your behalf" warning #37117 (reply in thread)

  I'm not quite sure why there's a section called "Resources on your account" -- I wouldn't call email addresses "Resources"

[mryellow]

As someone who before risking granting access to my data spent 30 minutes searching what this frightening text meant, only to find it was a UX bug and reported as an issue in 2022.

Thank you for listening.

[11suixing11]

I just feel free for this,but I think this will become a great change.

[stevehipwell]

What about auth systems that require org read to enumerate team membership?

[helen]

Those will currently still display the warning, because it is using your account's abilities (acting on your behalf) to read the org. I think it's definitely true and noted that there's still space to make permissions clearer past this particular large case!