Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lessen required scopes #24

Open
dpi opened this issue Apr 30, 2023 · 3 comments · May be fixed by #25
Open

Lessen required scopes #24

dpi opened this issue Apr 30, 2023 · 3 comments · May be fixed by #25
Labels
bug enhancement help wanted

Comments

@dpi
Copy link

dpi commented Apr 30, 2023

Calling \League\OAuth2\Client\Provider\AbstractProvider::getResourceOwner in certain circumstances throws an exception.

When only the 'read:user' scope is configured and the authenticating user does not have a public email, eventually \League\OAuth2\Client\Provider\Github::fetchResourceOwnerDetails is called. The initial response has a $response['email'] = null. This eventually leads to another request to the /emails endpoint. However this endpoint won't load due to the configured scopes.

The following exception is thrown while trying to fulfill the request:

\League\OAuth2\Client\Provider\Exception\GithubIdentityProviderException

Code: 404
Message: {"message":"Not Found","documentation_url":"https://docs.github.com/rest/reference/users#list-email-addresses-for-the-authenticated-user"}

It should be possible to match scopes required to load this endpoint before attempting. As far as I can tell the response doesn't necessarily require emails. Scopes needed: user or user:email per https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes + https://docs.github.com/en/rest/users/emails?apiVersion=2022-11-28#list-email-addresses-for-the-authenticated-user.

The relevant lines for resolving emails were modified in the last 6 months.
@dpi
Copy link
Author

dpi commented Apr 30, 2023

Looks like the relevant recently modified files from #20 #22 lead to this change, perhaps intentionally.

I should be able to use this project without emails?

My desire is to claim that my integration does not collect emails, such that I don't need to have extensive privacy policies and get into less trouble with increasingly common data collection laws.

@dpi dpi changed the title Cannot login with user:read scope and no public emails Lessen required scopes Apr 30, 2023
@shadowhand
Copy link
Member

That is a valid request. TBH, I haven't looked over the relevant changes that closely, but it certainly seems that we have drifted into territory where email has become a (soft) requirement.

If you would like to put together a PR, that would be appreciated. Otherwise, I will get to this when I have free time.

dpi added a commit to dpi/oauth2-github that referenced this issue Apr 25, 2024
@dpi
allow using the read:user which doesnt have emails available to it
defd503 
Fixes thephpleague/issues/24
@dpi dpi linked a pull request Apr 25, 2024 that will close this issue
Open
@dpi
Copy link
Author

dpi commented Apr 25, 2024

Posted #25 for further discussion

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow using the read:user which doesnt have emails available to it dpi/oauth2-github
2 participants
@dpi @shadowhand