Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reduce Azure DevOps scope #9944

Closed
Dschoordsch opened this issue Jul 9, 2024 · 4 comments · Fixed by #9999
Closed

Reduce Azure DevOps scope #9944

Dschoordsch opened this issue Jul 9, 2024 · 4 comments · Fixed by #9999

Comments

@Dschoordsch
Copy link
Contributor

Right now we're requesting the .default scope which requests access to all Azure DevOps APIs. A customer 🔒 pointed out that this is excessive as it also allows source code access.
@Dschoordsch
Copy link
Contributor Author

I think we only need vso.project vso.work_write 1

Footnotes

  1. https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?toc=%2Fazure%2Fdevops%2Forganizations%2Fsecurity%2Ftoc.json&view=azure-devops

@mattkrick
Copy link
Member

I believe we need to turn it into an app so it have fine-grained permissions on a per-repo basis: #7114

@Dschoordsch
Copy link
Contributor Author

We are registered as a web app (#9531). Not sure how we can configure per repo permissions.

@mattkrick
Copy link
Member

oh! well i'm an idiot i must've missed this!
i might be thinking of the GH integration that can do repo-specific perms. makes sense that orgs have a repo or 2 they don't want to expose to parabol

@Dschoordsch Dschoordsch mentioned this issue Jul 18, 2024
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: Reduce Azure DevOps scope ParabolInc/parabol
2 participants
@mattkrick @Dschoordsch