GitHub Social accounts - new OAuth prompt

kang · June 14, 2017, 9:04pm

Hi,

If you have no RP using GitHub authentication, you are not affected and can disregard this message.

A new GitHub scope has been added which allows us to verify if an account has been authenticated with GitHub using MFA.

We will start prompting for this scope.

What does this mean?

Users that authenticate using GitHub accounts will receive a new OAuth authorization request the next time they login, asking for the “read-only access to your profile”.

This is a one-time prompt.

New user will get the usual authorization prompt that will include this request.

If curious, you can also test this here: https://testrp.security.allizom.org/

Tracking, comments, issues: https://github.com/mozilla/iam-project-backlog/issues/141

gene · June 14, 2017, 9:15pm

Do we want/need to do any messaging to users in advance of this so they understand why they’re being prompted?

kang · June 14, 2017, 9:36pm

As per https://github.com/mozilla/iam-project-backlog/issues/141 this is the communication
I.e. there is no personalized per user communication at this time (the change is live).