@jaksi discovered that the scopes of SSO authorized personal access tokens could be modified without having a SAML session. In SAML enabled organizations, personal access tokens have to be authorized before they are allowed to access private resources inside the organization. This allows organization admins to audit which personal access tokens have access to their organization’s private resources, and revoke them if need be. Whenever a user first authorizes a token for use in a SAML enabled organization, they have to go through the SAML flow to prove they have a valid session; however, we were not requiring this for scope changes.

If both a user’s session and personal access token were compromised, an attacker would be able to give the token a broader scope, such as repo, and be able to access the SAML-potected organization resources with it. We addressed this by removing all SSO authorizations on a token whenever it’s regenerated or the scopes are changed.