Enhance OAuth integration when user doesn't want to grant permissions

[ehsavoie]

Is your enhancement related to a problem? Please describe

I'm always frustrated when I use a Che instance with GitHub OAuth enabled and I want to use a GitHub project to get the devfile I want to use (dong something quite similar to using a devfile registry).
It asks for GitHub permissions which I don't want to grant. If I press Cancel then it keeps on asking them each time I'm opening the workspace. In the end it finished with a 500 Internal Error json message.

Describe the solution you'd like

I'd like Che to accept that I don't want to use OAuth to connect to my GitHub account and I don't want to use Che to do Git operations (in my case it is mostly demo) and stop bugging me about those permissions after I refused to grant them.

Describe alternatives you've considered

I've created a fork of my project on BitBucket because currently it is not integrated with OAuth but that's not going to be something that might be valid in the future.

Additional context

No response

[ibuziuk]

@ehsavoie thanks for reporting this enhancement, could you provide schematic UX mockup for OAuth opt out?
As an alternative you can configure PAT with from UD

[ibuziuk]

@vinokurig thinking about this issue from impl perspective, I'm wondering if user opt out from OAuth / presses Cancel, instead of 500 create a cm e.g. oauth-opt-out in the user namespace that would be an indicator that OAuth flow should not be used for such a user. This would require no UI changes on UD / OAuth flow end

[ehsavoie]

That would be my expectation. I don't know if the proper place would be the user or the workspace or the user/workspace combinaison

[ibuziuk]

workspace-preferences-configmap might be a good place for oauth opt out field

[vinokurig]

If I press Cancel then it keeps on asking them each time I'm opening the workspace. In the end it finished with a 500 Internal Error json message.

This is a bug. If oauth page is rejected workspace start must proceed with asking to use a default devfile.
@ibuziuk

thinking about this issue from impl perspective, I'm wondering if user opt out from OAuth / presses Cancel, instead of 500 create a cm e.g. oauth-opt-out in the user namespace that would be an indicator that OAuth flow should not be used for such a user. This would require no UI changes on UD / OAuth flow end

Do you think this should be workspace scope or user scope? I mean if an oauth is rejected for particular workspace, should we automatically reject oauth for all other workspaces, or just for the current?

[ibuziuk]

If oauth page is rejected workspace start must proceed with asking to use a default devfile.

well, but if the devfile is public we should use it and not fall back on default.
The problem described in this issue is that we require OAuth even for public repositories.

[vinokurig]

well, but if the devfile is public we should use it and not fall back on default.

This should be fixed by eclipse-che/che-dashboard#932 and eclipse-che/che-server#568

The problem described in this issue is that we require OAuth even for public repositories.

This was added on purpose, we did not use to ask the authorisation for public repos at all. As far as I understood #22499 (comment), we should ask the authorisation (even for public repos) but keep the decision in a config-map.

[ibuziuk]

we should ask the authorisation (even for public repos) but keep the decision in a config-map.

yes, we should initiate OAuth flow if configured for both public and private repos. If the user opt-out from OAuth, for public repos we should use the original devfile, for private we should use default similar to what was done for #22488

[ibuziuk]

after a discussion with @l0rd it was decided that opt-out should be implemented on the provider level, not the workspace.
e.g. if user rejected OAuth once for particular provider, we should not ask again on subsequent workspaces startups