GitHub Social accounts - new OAuth prompt


(kang) #1

Hi,

If you have no RP using GitHub authentication, you are not affected and can disregard this message.

A new GitHub scope has been added which allows us to verify if an account has been authenticated with GitHub using MFA.

We will start prompting for this scope.

What does this mean?

Users that authenticate using GitHub accounts will receive a new OAuth authorization request the next time they login, asking for the “read-only access to your profile”.

This is a one-time prompt.

New user will get the usual authorization prompt that will include this request.

If curious, you can also test this here: https://testrp.security.allizom.org/

Tracking, comments, issues: https://github.com/mozilla/iam-project-backlog/issues/141


(Gene Wood) #2

Do we want/need to do any messaging to users in advance of this so they understand why they’re being prompted?


(kang) #3

As per https://github.com/mozilla/iam-project-backlog/issues/141 this is the communication
I.e. there is no personalized per user communication at this time (the change is live).