(February 2014): Advanced OAuth Protection for SSH Keys
We just added more detailed permissions , so third-party applications may request read-only access, read / write access or full administrator access to your public SSH keys.
Note that access-token now (October 2013) also returns scope.
This is described in detail in the OAuth Change Section (October 2013, Tim Cleam - tclem ):
Starting today, we are returning the provided scopes as part of the access_token response.
For example, if you create a POST with type application/json mime, you will see an additional field for the provided areas.
{ "access_token":"e72e16c7e42f292c6912e7710c838347ae178b4a", "scope":"repo,gist", "token_type":"bearer" }
Currently, these areas will be identical to requests, but we are moving towards a set of functions that will allow GitHub users to edit their areas of activity, effectively giving your application less access than you originally requested .
You should be aware of this feature and adjust app behavior accordingly.
Some things to keep in mind and keep in mind:
Most third-party applications that use GitHub OAuth to authenticate users have the best success at accepting, starting with the minimum access request that the application can leave with. Something like realms or just user:email very reasonable.
Itโs important to handle error cases where users decide to give you less access than you originally requested.
Now, when we look at the provided areas in the access_token response, applications can warn or otherwise inform their users that they will see reduced functionality or will not be able to perform some actions.
Applications can always send users back through the stream to get additional permissions, but don't forget that users can always say no.