Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Excessive permissions using Github login #4125

Open
ValYouW opened this issue Feb 20, 2021 · 10 comments
Open

Excessive permissions using Github login #4125

ValYouW opened this issue Feb 20, 2021 · 10 comments
Labels
area: authentication area: security

Comments

@ValYouW
Copy link

ValYouW commented Feb 20, 2021

Hi,

When signing in using Github it seems that Liveshare asks for too much permissions, while only email seems necessary, it also asks for read/write to public/private repositories, and full permissions for Discussions.
Why? can I limit this to email only?
Thx
@ValYouW ValYouW changed the title Granular permissions using Github login Excessive permissions using Github login Feb 20, 2021
@fubaduba
Copy link
Contributor

@Davsterl do we have any anwers here?

@olegoid
Copy link
Contributor

olegoid commented Feb 22, 2021

@fubaduba we have an internal discussion about this issue.

@Davsterl
Copy link
Member

Yes, we will look into changing the permissions here.

@olegoid
Copy link
Contributor

olegoid commented Mar 5, 2021

Fixed in Live Share v1.0.3912

@olegoid olegoid closed this as completed Mar 5, 2021
@ValYouW
Copy link
Author

ValYouW commented Mar 8, 2021

Thanks!

@scooper91
Copy link

Just had to re-auth with GitHub, and alongside the existing permissions discussed above, it's also now requiring the ability to "Update GitHub Action Workflow files" ("This application will be able to remove, edit GitHub Action Workflow files for your repositories.").

Why does it require all these permissions to use Live Share?

@sebastiantf
Copy link

sebastiantf commented Sep 27, 2022
edited
Loading

Just saw this now. Been using Live Share till yesterday, and all of a sudden, today it asked me again to Login with GitHub/Microsoft. When choosing GitHub, it requests write access to public and private repos

v1.0.5723

@derekbekoe derekbekoe reopened this Oct 1, 2022
@derekbekoe derekbekoe modified the milestones: Oct-Dec 2022, Jan-Mar 2023 (uncommitted) Nov 13, 2022
@radekn
Copy link

radekn commented Nov 16, 2022

I tried to use Live Share (v1.0.5762) today, and it asked me for the following permissions:

Personal user data

Email addresses (read-only), profile information (read-only)
This application will be able to read your private email addresses and read your private profile information.

Repositories

Public and private
This application will be able to read and write all public and private repository data. This includes the following:

  • Code
  • Issues
  • Pull requests
  • Wikis
  • Settings
  • Webhooks and services
  • Deploy keys
  • Collaboration invites

Workflow

Update GitHub Action Workflow files.
This application will be able to remove, edit GitHub Action Workflow files for your repositories.

Given that the only purpose for this is authentication, declining felt like the only sane choice.
I don't think it should need any of that except public profile information (assuming GitHub authentication allows such granularity) and maybe email address.

@raphaelsetin
Copy link

It's still asking all the above as @radekn mentioned in the latest stable VS Code of today.

@derekbekoe derekbekoe removed this from the Jan-Mar 2023 (uncommitted) milestone Mar 29, 2023
@sbromberger
Copy link

Is there any consideration being given to changing this? There is no reason for live share to need access to my private repos - this overbroad set of permissions is the sole reason I can't use it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: authentication area: security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests