AshAuthentication GitHub strategy without email

adamcstephens · March 8, 2025, 11:11pm

Hello, I’m trying to use the GitHub strategy with a GitHub App, but I don’t want to ask for nor receive the user’s email address. I was able to change authorization_params to limit the scopes requested, but AshAuthentication appears to make its own call to the email API, as I get the below error. Can I stop this API call from happening, and if so, how? Thanks!

    :authentication_result => {:error,
     %Assent.HTTPAdapter.HTTPResponse{
       http_adapter: Assent.HTTPAdapter.Finch,
       request_url: "https://api.github.com/user/emails",
       status: 403,
       headers: [
         {"date", "Sat, 08 Mar 2025 23:06:32 GMT"},
         {"content-type", "application/json; charset=utf-8"},
         {"content-length", "179"},
         {"x-oauth-scopes", ""},
         {"x-accepted-oauth-scopes", "user, user:email"},
         {"x-oauth-client-id", "XX"},
         {"github-authentication-token-expiration", "2025-03-09 07:06:32 UTC"},
         {"x-github-media-type", "github.v3; format=json"},
         {"x-accepted-github-permissions", "emails=read"},
         {"x-github-api-version-selected", "2022-11-28"},
         {"x-ratelimit-limit", "5000"},
         {"x-ratelimit-remaining", "4998"},
         {"x-ratelimit-reset", "1741478792"},
         {"x-ratelimit-used", "2"},
         {"x-ratelimit-resource", "core"},
         {"access-control-expose-headers", ...},
         {...},
         ...
       ],
       body: %{
         "documentation_url" => "https://docs.github.com/rest/users/emails#list-email-addresses-for-the-authenticated-user",
         "message" => "Resource not accessible by integration",
         "status" => "403"
       }

Authentication works if I enable the email permission in the App, but I’d rather not request this access at all.

jimsynz · March 9, 2025, 11:43pm

so the underlying implementation is done by assent. It looks like their GitHub strategy requires the presence of the email. My suggestion is to use the basic OAuth2 strategy and configure it appropriately.

adamcstephens · March 10, 2025, 12:35pm

Thanks, that explains why i couldn’t find anything in ash_authentication itself.

adamcstephens · March 10, 2025, 1:10pm

The resulting strategy is

    strategies do
      oauth2 :github do
        client_id Tracker.Secrets
        redirect_uri Tracker.Secrets
        client_secret Tracker.Secrets
        authorization_params scope: "read:user"
        base_url "https://github.com"
        authorize_url "https://github.com/login/oauth/authorize"
        token_url "https://github.com/login/oauth/access_token"
        user_url "https://api.github.com/user"
        code_verifier true
      end
    end

Note that the claims, or data, returned with this strategy is very different from the github strategy.

jimsynz · March 10, 2025, 5:34pm

Awesome! Thanks for sharing the solution.