Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSO required unnecessarily #5316

Closed
smoelius opened this issue Oct 12, 2022 · 10 comments
Closed

SSO required unnecessarily #5316

smoelius opened this issue Oct 12, 2022 · 10 comments
Labels
C-bug 🐞 Category: unintended, undesired behavior

Comments

@smoelius
Copy link

smoelius commented Oct 12, 2022
edited
Loading

Current Behavior

crates.io requires me to log in to my organization, even to administer crates owned by me, not my organization.

When I click "Log in with GitHub" on my personal laptop (where I do not sign in to my organization), I see this:
Screenshot

However, GitHub allows me to administer repositories owned by me (not my organization) from my personal laptop. This suggests that crates.io is being overly aggressive about requiring SSO.

Expected Behavior

SSO should be required to publish/administer crates owned by my organization, but not by me personally.

Steps To Reproduce

  1. Belong to an organization that requires SSO to administer its GitHub repositories
  2. Go to crates.io
  3. Click "Log in with GitHub"

Environment

  • Browser: Chromium 105.0.5195.125 (Official Build) snap (64-bit)
  • OS: Ubuntu 22.04.1 LTS

Anything else?

No response
@smoelius smoelius added the C-bug 🐞 Category: unintended, undesired behavior label Oct 12, 2022
@Turbo87
Copy link
Member

Turbo87 commented Oct 12, 2022

this looks like it is a duplicate of #1688

@Turbo87 Turbo87 closed this as not planned Won't fix, can't repro, duplicate, stale Oct 12, 2022
@smoelius
Copy link
Author

Why was #1688 closed?

@Turbo87
Copy link
Member

Turbo87 commented Oct 12, 2022

Crates can have teams as owners, so we need this permission to be able to determine whether or not you are a member of a team when you try to publish a crate.

@smoelius
Copy link
Author

I believe the issues are distinct.

The present issue is not about crates.io merely being able see my organizations and teams. Rather, it is that crates.io requires SSO in order to see them.

Moreover, I verified that GitHub allows access to this information without requiring SSO. Specifically, I created a non-SSO enabled token with the read:org permission and was able to retrieve my organizations using this API: https://docs.github.com/en/rest/orgs/orgs#list-organizations-for-the-authenticated-user

@Turbo87
Copy link
Member

Turbo87 commented Oct 12, 2022

it's possible that there may have been changes on the GitHub API that enable this these days. PRs are welcome if you want to improve how crates.io requests permissions :)

@smoelius
Copy link
Author

PRs are welcome if you want to improve how crates.io requests permissions :)

Your point is very well taken.

Could we perhaps keep the issue open for now, though?

@Turbo87
Copy link
Member

Turbo87 commented Oct 12, 2022

Could we perhaps keep the issue open for now, though?

it's not exactly a bug though, as it's still working as originally designed. we're trying to keep feature requests in the Discussions tab instead.

@smoelius
Copy link
Author

OK, understood. Thank you,

@smoelius
Copy link
Author

smoelius commented Oct 13, 2022
edited
Loading

For anyone else that finds this, I misinterpreted the dialog. 🤦

You can click "Continue" without having to click "Authorize," i.e., you are not required to sign in to your organization.

@Turbo87
Copy link
Member

Turbo87 commented Oct 13, 2022

ohhhh interesting. Thanks for reporting back! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C-bug 🐞 Category: unintended, undesired behavior
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Turbo87 @smoelius