Lessen required scopes

[dpi]

Calling \League\OAuth2\Client\Provider\AbstractProvider::getResourceOwner in certain circumstances throws an exception.

When only the 'read:user' scope is configured and the authenticating user does not have a public email, eventually \League\OAuth2\Client\Provider\Github::fetchResourceOwnerDetails is called. The initial response has a $response['email'] = null. This eventually leads to another request to the /emails endpoint. However this endpoint won't load due to the configured scopes.

The following exception is thrown while trying to fulfill the request:

\League\OAuth2\Client\Provider\Exception\GithubIdentityProviderException

Code: 404
Message: {"message":"Not Found","documentation_url":"https://docs.github.com/rest/reference/users#list-email-addresses-for-the-authenticated-user"}

It should be possible to match scopes required to load this endpoint before attempting. As far as I can tell the response doesn't necessarily require emails. Scopes needed: user or user:email per https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes + https://docs.github.com/en/rest/users/emails?apiVersion=2022-11-28#list-email-addresses-for-the-authenticated-user.

The relevant lines for resolving emails were modified in the last 6 months.

[dpi]

Looks like the relevant recently modified files from #20 #22 lead to this change, perhaps intentionally.

I should be able to use this project without emails?

My desire is to claim that my integration does not collect emails, such that I don't need to have extensive privacy policies and get into less trouble with increasingly common data collection laws.

[shadowhand]

That is a valid request. TBH, I haven't looked over the relevant changes that closely, but it certainly seems that we have drifted into territory where email has become a (soft) requirement.

If you would like to put together a PR, that would be appreciated. Otherwise, I will get to this when I have free time.

[dpi]

Posted #25 for further discussion

[distantnative]

Running into the same problem. Having the email as hard requirement (not so soft when an exception is thrown) is not great in terms of privacy etc.

@shadowhand any update whether this introduced requirement can be reverted again? Thanks for your work.

[Jefferson49]

I ran into the same issue, while trying to access a Github user profile without public email address.

During debugging, I recognized that the root cause for this issue is a type in the default scope:

• Github.php, line 93
• 'user:email' instead of 'user.email'

In (#26), I provided a pullrequest , which fixes this issue.

[shadowhand]

Fixed in version 3.1.1.