

Ask HN: GitHub login for B2D service? - bstahlhood

I have been working on a B2D service. Right now my only login method is GitHub. I thought it made sense, since most seem to be using GitHub for their projects. It will use GitHub as a way to help add services to your development projects.<p>I wanted to know if this a bad way to go? Should I allow a native login? Various login types?<p>Thank you for your time and feedback on this issue.
======
cookrn
I don't have too much specific feedback, but I know one thing that has irked
me in the past (and irked users of services I've worked on) is when the OAuth
permissions requested are very broad. For example, why request "write" access
to a resource if you don't need it? In other words, ask for the bare minimum
permissions from the user that your app may require to function.

What stack are you developing in? Maybe there's a solution like
[https://github.com/intridea/omniauth](https://github.com/intridea/omniauth)
available that you could utilize if applicable.

Hope that's helpful and good luck :)

~~~
bmelton
Having written a couple of Github-based applications, Github permissions are
fairly non-granular. My specific complaint with Github oAuth permissions is
that if I want read access to private repositories (which I already feel
guilty asking for, but genuinely need) I _must_ also request write access
(which I have completely no need for, and am uncomfortable having).

You're completely correct in that asking for unnecessary permissions is
gauche, but with Github specifically, they make it nearly impossible to be a
responsible custodian. It's quite bothersome, and to the extent that I've
written an application that I think could have a moderate revenue stream if I
released to the world, but I only use it for myself exclusively because I am
that uncomfortable asking for write permissions on private repos that I don't
need or want.

~~~
bstahlhood
Yeah that is my problem too. GitHub seems like a natural fit for a B2D
service, but the permissions is a problem. I don't want to piss of devs.

~~~
bmelton
Pissing off devs is bad, but yeah, my main thing is that securing a website
and database is hard enough, but fairly easy to mitigate.

If an attacker could gain write access to a customer's private repositories
though, I feel like that would make an otherwise unattractive service far more
of a target.

You're dead on though -- I've wanted to use Github oAuth for at least five
different dev-oriented projects, but their permission system just makes it
impossible.

