GitHub OAuth Permissions

(Ricky C.) #1

I’ve actually brought this up before in an email support request, but I was wondering if there were any plans to create more granular permissions around the oauth authorizations page. I want to authorize GitHub Classroom to access my GitHub account, but it would authorize permissions across every organization I am a part of. While I don’t foresee this being a problem with GitHub Classrooms (being owned by GitHub), I’m always weary of third party applications having access to every repositories I am a part of. In this case, it feels especially dangerous since the app has access to delete any adminable repository. If a client provides me with admin access to their GitHub account, why would I want GitHub Classroom to have access to their org?

(John Britton) #2

@rickyc You can enable third-party access restrictions for your GitHub organizations.

With this setting enabled, you are able to choose which organizations each OAuth application gets access to on GitHub.

(Ricky C.) #3

Thanks! The issue occurs when the organization does not restrict third party access by default and I am given some level of admin privilege. If I grant access to App A, then every sequential app will be authorized to have access. I think this image depicts the problem. As you can see once I’ve granted access, I can’t revoke authorization on an organization level.

(John Britton) #4

Yes, this is a limitation of the platform and the only solution is to enable third party access restrictions for your organization.

If you don’t have access to do that, I’d suggest contacting an organization administrator. We have made the setting a default for new organizations, but there’s no way for us to migrate organizations created before that feature without an administrator being involved.

As you can see once I’ve granted access, I can’t revoke authorization on an organization level.

From your account settings, you can select Authorized Applications and then choose the GitHub Classroom application from the list. On that page you will see a list of all the organizations the application has access to and you can revoke access to any organization that has third party access restrictions enabled.

(Ricky C.) #5

Thanks for the clarification John! I was going to suggest enabling the third party restriction by default, but I realized that’s already the case. Looks like legacy accounts didn’t have it enabled, which makes sense. Thanks again! I’ll try to get it sorted out on my end.

(John Britton) #6

You’re welcome, glad that it’s sorted.

(Rob Muhlestein) #7

Just wanted to mention that setting up an additional organization for a class, course, or school gets around a lot of these concerns as far as I know. Then I keep the main organization locked down, which controls and maintains the textbook type repos as well as the workbook starters.

(Kristóf Csorba) #8

Hi Everyone! Related to this: I had some students creating repositories with politically inacceptable names. To prevent github to automatically disable the whole organization again due such reasons, I immediately removed the repository and to be sure, removed the authentication of classroom using the Authorized Applications menu. Now classroom does not see the repositories and asks me to re-authenticate it, but I do not see how to do it. Logging in and out does nothing. How can I make classroom to re-ask for an authentication token? Thanks!

(Andrew D Wolfe Jr, MSCS) #9

Hi, I’m glad the original poster considers this solved, but I don’t. GitHub classroom only needs to be authorized for one organization at a time. When a student accepts an assignment, she/he would naturally be wary that GitHub Classroom will only work by getting access to all her/his organizations.

If my students are members of other organizations, I won’t know about that organization and neither I nor they can restrict third-party access.

Why doesn’t Classroom only ask for the single classroom organization?