OAuth Needs Partial Authorization

I’m not conceptually opposed to OAuth, or for a site using another site’s identity system for their authentication. The problem is these sites ask for too much access.

I am happy to log in and let them leverage my current networks to try to connect me with folks in the new service, but I want to be able to say yes/no on an individual permission basis instead of a blanket yes/no during the OAuth step.

Here’s an example of an Geeklist asking for access to my Twitter account:

Partial OAuth

The service is asking to be able to do four things:

  1. See the content I post to Twitter. This is fine. My account is not protected, I have no problem with them requesting this same content via the Twitter API.
  2. See who I follow and follow new people. I’m not wild about the “follow new people” bit, but seeing who I follow is fine. My experience on Geeklist is likely to be better if they can connect me with some folks I am interested in.
  3. Update my profile. What? Why should I allow some other service to update my profile? I’m guessing they might offer to change my web URL or my bio or something… no way do I want them doing this.
  4. Post tweets for me. No way. I don’t want some service I’ve barely know (which is normally the case – when you’re registering for a new service you’re still learning about it) to be posting as me on Twitter. I recognize why they want to do this, they probably want to allow me to choose to spam my timeline with “accomplishments” and such. I hate that crap.

A good friend asked me to sign up for Geeklist, and showed me how it would be beneficial to me. This is exactly the sort of intro they want. I have some motivated self-interest as well as an endorsement.

My next experience with the service was this OAuth step. Immediately, they are losing goodwill.

I wanted to sign up for the service, so I went ahead and completed the OAuth steps and connected my Twitter account; despite my reservations. The next thing I saw was this:

Geeklist Post Auth Step

I still don’t know what this service is or how it works, and I’m being asked to follow and spam on its behalf. My next action was to go de-authorize the service from my Twitter account.

I’ve used Geeklist as an example here, but that’s simply because they are the most recent example I’ve experienced and I thought to take screenshots along the way. They are certainly not alone in how they’ve chosen to set up their user registration flow.

I understand why services/apps want to request the permissions they do. I also understand why they may choose to exclusively use 3rd party authentication for registration and logging in. This understanding aside, I’m not OK with being forced to allow more access to the 3rd party account than I consider reasonable in exchange for being able to register.

I’m fine with a service asking for more permissions than I’m willing to grant, but I’d like to be able to check/uncheck those permissions as part of the OAuth process.