GitHub App installation "act on your behalf" warning

[nehzata]

Hi,

I have an app configured with read-only access to user's email address, read-only metadata access & read-only repository content access.

When users try to install the app though they are warned that my app will "Act on your behalf", which is leading to a very negative user experience. Is there anything I can do? Is it something I've done wrong? Can I reconfigure the app in any way to remove this warning?

The number one question I'm currently getting is "Why does your app need to act on my behalf?"

Thanks in advance!
Ali,

[Ehesp]

Relevant issue which seems to be top on Google searches: cirruslabs/cirrus-ci-docs#751

[nehzata]

@Ehesp Yeh, this thread also comes up, which seems to suggest that warning is there even in the case of 0 permission apps. I plan to test it today to see.

[Ehesp]

That is correct - we have an app with zero permissions (with the mindset of adding more in the future) and also have this issue.

[fanhaixing999]

is it dangerous my github？
github dont like thoseactivitys

[johnnyreilly]

Would be very interested in seeing a resolution to this - the prompt below is too scary to agree to

[ossanna16]

Hi there @nehzata and welcome to our community! Thank you for asking a great question 🙂

[nehzata]

Hi @ossanna16 Thank you! Would you be able to advise what the best course of action here would be?

[ossanna16]

@timrogers Are you able to help @nehzata out here?

[nehzata]

@martinwoodward Sorry for pinging like this. Could you please assist?

[hpsin]

Hey all,
Definitely understand that this isn't the most understandable UI phrasing. We're looking at better ways of phrasing this or removing it entirely since all it means is that the app gets to interact with these permissions in your name.

Would updating the permissions individually to explain the permission make more sense? E.g. "Open and close issues in your name" or "Open and close issues using your identity"? Neither is immediately clear that everyone else will see you closing those issues.

[johnnyreilly]

That would be an improvement, yes. Right now I avoid accepting as I don't want to allow blanket permissions which might involve altering source code / shipping releases etc

[Ehesp]

100% an improvement.

There is no issues showing what permissions you are trying to acquire from a user, but 'act on your behalf' is so generic it could mean literally anything, which is especially odd when you can not request any permissions but the message still shows.

[spydon]

@hpsin I guess this hasn't been prioritised in 2023 either?

[jsoref]

@hpsin:

1. If it only gets access to specific resources, then it should say "See a subset of the resources you can access -- which you can adjust (learn more)"

2. If it has no permissions to act on a user's behalf then the line-item should disappear.

3. I'm not quite sure why there's a section called "Resources on your account" -- I wouldn't call email addresses "Resources"

4. If it has permissions where a normal observer would see the app acting on a user's behalf then the item should be of the form:

   Perform the following actions on your behalf:

[nehzata]

@hpsin thanks for responding to this!

Yes that would be great but I worry that it's going to take a long time to implement.

Can I also suggest for now changing the warning to read "May be able to act on your behalf" and updating the docs behind the "Learn more" link? The wording in the linked docs further reinforces the the wrong impression.

[akostadinov]

Not really helpful this. I want to know what app can do exactly. This "maybe" could be even more alarming.

[JonRowe]

As a maintainer I had to think long and hard about allowing this dialouge, check the source of the app to see if it was legit and vet the background of the author a bit as it doesn't say what it can do on my behalf, this message should definietly explain the scope of what the app can do, and allow us to limit that scope.

[jdevfullstack]

as for me, it's just a generic message from GitHub, what you can do is to put the complete information about your app in README and any other possible site for the users

[coryvirok]

I get this with an app that has 0 permissions requested. I would expect that for an app with 0 permissions requested, only the first of the following 3 messages would appear in the authorize UI.

• Verify your GitHub identity (coryvirok)
• Know which resources you can access
• Act on your behalf

Verify your GitHub identity (coryvirok)

✅ This makes sense me as a developer as well as a consumer of an app that is requesting 0 permissions. The very fact that I'm adding the app to my GitHub account in order to provide SSO to my site would mean that my site is going to be able to verify my identity on GitHub.

Know which resources you can access

❌ This doesn't make sense to show for a GitHub app since the user is going to be able to select which resources the app has access to. Meaning, the app will only be able to know which resources belong to the user if the user selects them.

As a user of the app, this makes me wonder if the app is able to see resources outside of the ones I've selected.

Act on your behalf

❌ This doesn't make sense to show unless there is some sort of a write: permission requested by the app.

If at all possible, I'd like to never use a user-to-server token which would mean my app would always interact with GitHub using the installation token. Which means I would never be acting on the user's behalf.

[domfarolino]

Is there any update on this? I have a simple GitHub Application that asks for read-only information to public data just to hit the GitHub API with authentication (to avoid the public rate limit) and users are asking why the app says it can "Act on your behalf."

[p0358]

I want to point out that in my case I had this issue only on GitHub app created on my profile. For my use-case it was fine to create OAuth app on organization rather than GitHub app, and that one doesn't have this "Act on your behalf" thing, apparently

vs

Worth noting that the URL and scopes are the exact same in both cases

[adi3]

Bump on this thread. Any update from the GitHub team? Going by @p0358's comment above, the current messaging encourages devs to build an oauth app instead of GitHub app. Yet all over the docs GitHub has plastered the message asking us to consider moving away from Oauth apps

[crohr]

I can't believe this phrasing is still there. Number one reason why users do not go through that first screen, even though I have zero permissions to act on their behalf.

I suspect that's the reason why many companies use 2 GitHub flows: one for authorising/identifying the user using an OAuth app (which doesn't have this crazy warning), and a second one which goes through a GitHub App when permissions are needed on repositories (because we can take advantage of the better granularity here). But that's not what I would call a good dev UX.

[prevostc]

With only read permissions set on our app, showing this warning is a bug.

[hblanco666]

I can't believe this is still an issue. This is definitely a bug, the interface is showing incorrect and misleading information to the user. This creates lots of problems in the context of a security aware company since all users will report a non-issue

[iBotPeaches]

Just adding another comment as it appears a few years later still not prioritized. It seems a bit misleading still and a constant pain of user questions when they are prompted to approve something that isn't true.

As shown below - we have 0 permissions for the account block of permissions. We cannot act on behalf of the user at all.

[avirgili-eclub]

2024 and is still a problem this.. sad.

[tobiasb]

I wonder if this will ever get fixed?

[graham-fleming]

someone asked about this today, too bad this is the result

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[pinpox]

Not out of date!

[roelanddel]

Agreed. I still get challenged on this on a monthly, sometimes weekly basis.

People get the wrong idea and we have to always objection handle this 'distrusting' start of the conversation.

[jsoref]

@jricciardi: please remove the Question label -- this is purely Product Feedback.

[avirgili-eclub]

Still waiting to this fix..

[avirgili-eclub]

up! 2024

[sricks]

bump, still an issue

[squiishyy]

Bumping, still an issue

[avirgili-eclub]

bump, still a issue

[tolik518]

Any update on the issue?
This is a pretty serious matter since it makes some projects virtually untrustworthy

[florianmartens]

Facing the same.

[pboling]

As we approach the 2nd anniversary of this issue, and the 6th anniversary of Microsoft's acquisition of GitHub, it is important to remember that GitHub Microsoft does not care. But hey, at least it will be 2025 soon, and we can tack on another year of indifference!

[elcreator]

up!

[hichemfantar]

Apparently it's more clear when you use an org

example:

[sherzodv]

OK, I was very confused and had to dig into this thread to understand what that could mean. Pls just remove :)