How Code Climate Authenticates with GitHub

A brief on how users are authenticated from GitHub to Code Climate

Authentication: How Users are Identified

Code Climate uses GitHub OAuth for user authentication into the application. This web application flow is described in GitHub's documentation.

Additional information about the scopes we request can be found here.

Authorization: Which Resources Users Have Access to

There are 2 permissions schemes associated with Code Climate that provide access to view the code and analysis results of repositories on Code Climate: Team-based and GitHub-backed Authorization.

In Team-based Authorization [deprecated], access to repositories is specified by teams. Teams are associated with repositories, and members of those teams have access to those specific repositories. Teams are defined and controlled solely by Code Climate organization owners and have no relation to GitHub teams.

In GitHub-Backed Authorization, Code Climate uses the GitHub API to determine which repositories Code Climate organization members can view results for: members can only view repos on Code Climate that they have permission to view on GitHub. Consequently, if a users access to a repository is revoked on GitHub, it is also revoked on Code Climate.