GitHub authorization requires excessive permissions

[maghoff]

There has been some discussion on the permissions for the GitHub login, at least in #191.

Now that login is required to be able to publish crates, I think this design should be revisited. I feel that the permission required is excessive, and I don't want to jump through any hoops to get around it.

I would be happy with either of:

• Not having to grant crates.io any particular permissions, or
• Not having to log in with a specific third party. Something like OpenID would be OK, I would also be very happy with simply generating an account on crates.io

[sgrif]

For reference, the permissions we require are:

The first item there is literally "you are using oauth", we don't explicitly request it, nor could we opt out of it. The second comes from us requesting the read:org scope. Crates can have teams as owners, so we need this permission to be able to determine whether or not you are a member of a team when you try to publish a crate.

Can you clarify what permission specifically that you have an issue with, or what you think we are requesting that we don't need?

Non-github login already has an open issue, #326

[maghoff]

I find the "Organizations and teams" permission to be excessive for the use-case "publishing personal crates".

#326, which I unfortunately was unable to find with my search terms, addresses this problem sufficiently.