Github seems to have changed their oauth

Last week, we installed a new Rancher 2.4. When we added the google oauth client and secret, we got all kind of errors.

We contacted github. And it seems that (uncertain since when) the scope=read:org parameter became mandatory. On another rancher instance that has been running for months, the issue does not occur. So we are making sure we will not touch our github tokens there.

Response from Github Support:
It’s not possible to set default scopes for an application, instead, you should be requesting the scopes for each individual authorisation when you pass the user to GitHub to authorise your application.
You can include the scope parameter like this:

This will prompt the user to accept the read:org scope and create a token with that scope!

We’ve always sent/asked for that scope, but were recently changing who was responsible for adding it to the URL you get redirected to (the ui vs api). This hasn’t shipped though, are you running a master or head branch instead of an actual release?

v2.4-2923-head should I upgrade?

You should run an actual release.

You’re using whatever happened to be the latest commit for the 2.4 branch at the time you pulled it. These are for development and QA; there are no guarantees that it works at all, or is backwards or forwards compatible with past or future builds or releases.

Ah ok. I just don’t want to use the “latest” tag but a specific version number for future reference. Would you advice using rancher/rancher:2.4.4 instead of the head?

latest and stable both always point to an actual release so they are ok to use. But yes it is best to use an explicit 2.x.y tag.

*-head are automatic builds from CI on every merged commit to the corresponding branch (the 2923 in your tag is the drone build number).