Github authorisation and your other orgs

Hey folks,

as you know SQuaRE uses Github (specifically, memebership of the lsst org on Github) as an authentication source for developer services as a shim to the eventual production authentication system. This has left for some of you worried because when you grant access to our service it seems to insist that you give it access to all your orgs.

This is only the case for organisations that were created before the Github permission model has changed. If you have one of those orgs this is what you (or the org admin) should do:

  1. Go to Settings -> Authorized Applications: https://github.com/settings/applications

  2. Revoke any tokens you don’t want applied across all your orgs, eg.

  1. Go to your org’s Settings -> Third party Access and click the setup application restrictions button

  1. Now next time you try and use a SQuaRE service, you will be prompted to re-auth (because of Step 1) and the confirmation screen will look like this:

Any org with restrictions turned on is not automatically included in the grant request. Simply do not grant access for your other orgs. I will RFC turning on restrictions for our orgs soon.

As a general piece of advice, I suggest using an organisation account (instead of your personal account) even for personal projects as access control is better for Github orgs. For example as of today there are new org controls that allow repository deletion only for org owners.

PS. The couple of alpha-testers of our Lab service were being prompted for private repo access - this has been fixed.