Selectively showing 'act on your behalf' warning for GitHub Apps is in public preview

Source: GitHub Changelog

Update to the consent page

Today we’ve released an update to the consent page to be less alarming when using GitHub Apps only as a form of sign‑in. The consent page for GitHub Apps, where a user decides whether to authorize an app or not, now shows the “Act on your behalf” note only if the app is going to access resources or make writes on the user’s behalf.

Many GitHub Apps sign in users as a sign‑in service. They don’t actually access any data on GitHub; they just need to know who the user is as the basis for an account system. We found that upwards of 50 % of application authorizations were of this nature—only requesting the ability to read user profile data. In those cases, the user was met with a warning that the app would be allowed to act on behalf of the user, followed by a list of permissions it could leverage. When the app was only asking to read the user’s profile, this was confusing: what else would the app be allowed to do? The confusion resulted in support tickets and users opting not to sign in because they perceived a security risk.

The change removes the “Act on your behalf” note in the consent page if the app is requesting only read permissions against the user account itself. If the app requests any repository, organization, or enterprise permission (read or write), the note still appears. This allows applications to sign in users and obtain their profile information and email addresses (if requested) without undue alarm.

Before

After

If you have any thoughts or comments, feel free to drop a message in our Community discussion.