GitHub OAuth Scope

I was going to add a public GitHub repo to the My Code section of the site, but the scope of access that it wanted is not something I’m comfortable with.

In particular, I use a single GitHub ID for personal, work, and side projects. This means the OAuth token that os.mbed.org requested would provide full read/write access to all of my (day job) company’s public and private repositories. Needless to say the security folks at my company would not be pleased with that.

Leaving that aside, it makes the whole os.mbed.org site an extremely valuable target for malicious actors looking for access to private repositories, and for the ability to inject innocent-looking changes to public and private repositories that could compromise any number of IoT devices.

Possible solutions would be to provide read-only access to public repos only, or at a minimum to be able to only authorize access to a single GitHub organization.

Hi Frank,

Thanks for raising this with us. We’ll take a closer look at the scoping of the token to see what we can change to address your concerns.

Will