On Thu, Mar 22, 2018 at 2:13 PM, Pavel Raiskup <[email protected]> wrote: > On Thursday, March 22, 2018 11:31:23 AM CET Jakub Kadlcik wrote: >> The chart says that we likely want to use GitHub App. It doesn't matter >> which way go, you always end up with GitHub App because of "Access >> everything? No". >> >> Also, they say this, in the document >> >> > Using OAuth Apps >> > - An OAuth App should always act as the authenticated GitHub user, >> across all of GitHub >> > - Don't build an OAuth App if you want your application to act on a >> single repository. With the repo OAuth scope, OAuth apps can act on all of >> the authenticated user's repositories. >> >> I have a question about a user-friendliness of these two - GitHub App vs >> OAuth App. I am reading through tons of docs, but can't find the answer >> anywhere. Do I understand it right, that in case of GitHub App, every user >> will need to create his own app to get a new access token and put that into >> Copr, but in case of OAuth app, *we* will create an application, put it >> somehow into https://github.com/works-with and then a user will just >> one-click to allow it and then everything will automagically work? > > - _I think_ that you can _only_ share GitHub OAuth App on GitHub's > "Marketplace". Go to Settings -> Developer settings -> OAuth Apps > -> <THE APP> -> "List this application in the Marketplace" > > - I'm not sure whether we can implement OAuth in one-click fashion for the > user, but I have to admit that I haven't gone that far with the research > (I only played with GitHub Apps, and those work pretty well for the > usecase). > >> In such case, OAuth apps may be worth it even though the permission >> restriction possibilities are limited ( >> https://developer.github.com/apps/building-oauth-apps/scopes-for-oauth-apps/ >> ) > > Right. Maybe that's not an issue, who knows (TravisCI or CircelCI seems > to be implemented this way, and people trust them, so why wouldn't they > trust the Copr?). For me it would be crucial whether the application (== > copr) works under it's own name, say "Copr CI Bot" or it does something > (or can) under my nick-name... If it has it's own identity, I would be > fine.
As for token-based authentication described here: https://developer.github.com/apps/differences-between-apps/#token-based-identification Github App: An installation token identifies the app as the GitHub Apps bot, such as @jenkins-bot. OAuth App: An access token identifies the app as the user who granted the token to the app, such as @octocat. > > Pavel > >> >> >> Jakub >> >> >> >> >> On Wed, Mar 21, 2018 at 12:57 PM, Pavel Raiskup <[email protected]> wrote: >> >> > On Wednesday, March 21, 2018 12:36:25 PM CET Miroslav Suchý wrote: >> > > Dne 21.3.2018 v 12:28 Pavel Raiskup napsal(a): >> > > > 4. store **only** the **app** credentials into copr >> > > >> > > Yes. Only one app for all projects and all githubs and individual >> > permission >> > > for each specific Github is granted via OAuth. >> > >> > GitHub OAuth: >> > >> > pros: users don't have to create custom app (a few clicks anyway) >> > cons: that app has complete access to the repo, even push >> > >> > GitHub App: >> > >> > pros: users can grant the app to e.g. only set the "CI flags" in PR >> > cons: users have to create the custom app in web-ui >> > >> > To me, we should support both ways (oauth for convenience of users).. but >> > I voted for non-OAuth as that's the only option I would _personaly_ >> > accept. >> > >> > Pavel >> > >> > >> > _______________________________________________ >> > copr-devel mailing list -- [email protected] >> > To unsubscribe send an email to [email protected] >> > > > > > _______________________________________________ > copr-devel mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ copr-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
