docs(auth): GitHub OAuth scopes optional (#726)

peterpeterparker · web-flow · commit 1c9a2e0f9b8d · 2026-01-23T16:51:50.000+01:00
* feat(auth): GitHub OAuth scopes optional

* feat: revert and doc
diff --git a/packages/auth/src/providers/github/_openid.ts b/packages/auth/src/providers/github/_openid.ts
@@ -20,6 +20,7 @@ export const requestGitHubJwtWithRedirect = ({
 
   requestUrl.searchParams.set('redirect_uri', redirectUrl ?? currentUrl);
 
+  // Note: GitHub Apps ignore this parameter and use permissions from app settings instead
   requestUrl.searchParams.set('scope', authScopes.join(' '));
 
   // Used for security reasons. When the provider redirects to the application,
diff --git a/packages/core/src/auth/types/github.ts b/packages/core/src/auth/types/github.ts
@@ -1,7 +1,6 @@
-export type AuthScope = 'openid' | 'profile' | 'email';
-
 /**
- * Combination of OAuth scopes supported by GitHub.
+ * OAuth scopes supported by GitHub.
+ * Only applicable for OAuth Apps - GitHub Apps use permissions configured in app settings.
  *
  * - `'read:user'` is always required.
  * - `'user:email'` is optional.
@@ -33,8 +32,8 @@ export interface GitHubRedirectOptions {
 
   /**
    * OAuth scopes to request.
-   * Must begin with `'openid'` and include `'profile'`, `'email'`, or both.
-   * @default ['openid', 'profile', 'email']
+   * Optional - only used for OAuth Apps. GitHub Apps ignore this parameter.
+   * @default ['read:user', 'user:email']
    */
   authScopes?: GitHubAuthScopes;
 
