Any auth flow currently supported for SPA without backend?

[fserb]

I'm trying to write a simple SPA that behaves a bit like an editor: you interact with the site, and then the site commits to a Github repo of your choice every time you save. I'm trying to do this without any server component (pure browser-side js).

What I want is VERY similar to github's personal access token. I need access from a user to a particular repo of their choice. Ideally, I'd send users to a URL that would allow them to create a "personal access token" that gets returned to me. The current way those token work are a bit clumsy, as the users have to go to settings, and copy&paste them each time they access the SPA, and also tell me what is the repo that they gave access to. Ideally, there would be an automatic flow for that that returns those values to my callback. But I don't think they exist.

Github doesn't seem to support OAuth's implicit flow, so that's out as a friendly way to do this.

I read some about Github Apps, but not sure if they solve the "no need for backend" issue. Also, it seems a bit weird, as I don't want users to "install my app on their github account".

Is there any other supported alternative? I want to redirect people to github for auth without a backend component to keep secret and without asking for username/password?

[github-actions[bot]]

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀

[gr2m]

Unfortunately you will need a tiny server component for the OAuth flow. But it's quite simple and you can deploy to for free to e.g. Netlify. Alternatively you can ask a user to create a personal access token and paste it into your app. Username/password authentication for API usage has been disabled for several years now, due to security reasons.

If you want to allow users to limit access to a single repository, I'd register a GitHub app, as installing a GitHub app grants access to user-defined repositories, while OAuth Apps are global. Note that GitHub Apps cannot create a new repository as part of the installation, the user needs to create the repository ahead of time.

[fserb]

I know it's "simple" in the sense that it can be easily deployed. But it's not simple as in it adds a big dependency on the site running. It's a shame there's no solution around that.

It would be nice if there was a friendly flow to request a personal access token and automatically return the token to the site. Meanwhile, I'll stick to copy&pasting it. Thanks.