search

getsentry / sentry

Developer-first error tracking and performance monitoring
https://sentry.io
Other
39.07k stars 4.19k forks source link

Progressive permissions for OAuth with GitHub #61423

Open johndbritton opened 11 months ago

johndbritton commented 11 months ago

Problem Statement

As a user of GitHub SSO with Sentry for work, I do not want to be forced to share access to my personal repositories with Sentry.

Stated differently: I should be able to use GitHub SSO with Sentry by only sharing public profile information.

Solution Brainstorm

I contacted Sentry support about this and they told me to open an issue here. It appears that the team at Sentry believe that this is not possible with the GitHub API, but I am quite confident that it is possible as I have implemented similar in my own applications.

I understand that Sentry needs repo scope from GitHub OAuth in the case that individual users are connecting their personal projects. However, in the case of using GitHub OAuth as SSO for Sentry at work, it should be possible for sentry to only request public profile data and perhaps membership information from a specific organization.

I suggest an implementation that would allow a Sentry user to connect their GitHub account as a profile with no access only. To do this, the OAuth flow on Sentry's side would need to be modified to request read:org as documented here: https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes

Additionally, the user will have to approve organization access for the relevant organizations with "OAuth app access restrictions" enabled per: https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/about-oauth-app-access-restrictions

This would allow employees of companies using GitHub SSO with Sentry to access Sentry without providing access to additional account data that is sensitive.

Those Sentry users who also want to provide additional access to their private personal data on GitHub could easily be upgraded to a higher scope level with a simple request.

Product Area

Settings - Teams

getsantry[bot] commented 11 months ago

Assigning to @getsentry/support for routing ⏲️

getsantry[bot] commented 11 months ago

Routing to @getsentry/product-owners-settings-auth for triage ⏲️

Dhrumil-Sentry commented 11 months ago

@johndbritton This is a logical ask and we'll add this to our backlog. cc @leedongwei