Closed dpi closed 1 month ago
Looks like the relevant recently modified files from #20 #22 lead to this change, perhaps intentionally.
I should be able to use this project without emails?
My desire is to claim that my integration does not collect emails, such that I don't need to have extensive privacy policies and get into less trouble with increasingly common data collection laws.
That is a valid request. TBH, I haven't looked over the relevant changes that closely, but it certainly seems that we have drifted into territory where email has become a (soft) requirement.
If you would like to put together a PR, that would be appreciated. Otherwise, I will get to this when I have free time.
Posted https://github.com/thephpleague/oauth2-github/pull/25 for further discussion
Running into the same problem. Having the email as hard requirement (not so soft when an exception is thrown) is not great in terms of privacy etc.
@shadowhand any update whether this introduced requirement can be reverted again? Thanks for your work.
I ran into the same issue, while trying to access a Github user profile without public email address.
During debugging, I recognized that the root cause for this issue is a type in the default scope:
In (#26), I provided a pullrequest , which fixes this issue.
Fixed in version 3.1.1.
Calling
\League\OAuth2\Client\Provider\AbstractProvider::getResourceOwner
in certain circumstances throws an exception.When only the 'read:user' scope is configured and the authenticating user does not have a public email, eventually
\League\OAuth2\Client\Provider\Github::fetchResourceOwnerDetails
is called. The initial response has a$response['email'] = null
. This eventually leads to another request to the/emails
endpoint. However this endpoint won't load due to the configured scopes.The following exception is thrown while trying to fulfill the request:
\League\OAuth2\Client\Provider\Exception\GithubIdentityProviderException
It should be possible to match scopes required to load this endpoint before attempting. As far as I can tell the response doesn't necessarily require emails. Scopes needed:
user
oruser:email
per https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes + https://docs.github.com/en/rest/users/emails?apiVersion=2022-11-28#list-email-addresses-for-the-authenticated-user.The relevant lines for resolving emails were modified in the last 6 months.