I’m not conceptually opposed to OAuth, or for a site using another site’s identity system for their authentication. The problem is these sites ask for too much access.
I am happy to log in and let them leverage my current networks to try to connect me with folks in the new service, but I want to be able to say yes/no on an individual permission basis instead of a blanket yes/no during the OAuth step.
Here’s an example of an Geeklist asking for access to my Twitter account:
The service is asking to be able to do four things:
- See the content I post to Twitter. This is fine. My account is not protected, I have no problem with them requesting this same content via the Twitter API.
- See who I follow and follow new people. I’m not wild about the “follow new people” bit, but seeing who I follow is fine. My experience on Geeklist is likely to be better if they can connect me with some folks I am interested in.
- Update my profile. What? Why should I allow some other service to update my profile? I’m guessing they might offer to change my web URL or my bio or something… no way do I want them doing this.
- Post tweets for me. No way. I don’t want some service I’ve barely know (which is normally the case – when you’re registering for a new service you’re still learning about it) to be posting as me on Twitter. I recognize why they want to do this, they probably want to allow me to choose to spam my timeline with “accomplishments” and such. I hate that crap.
A good friend asked me to sign up for Geeklist, and showed me how it would be beneficial to me. This is exactly the sort of intro they want. I have some motivated self-interest as well as an endorsement.
My next experience with the service was this OAuth step. Immediately, they are losing goodwill.
I wanted to sign up for the service, so I went ahead and completed the OAuth steps and connected my Twitter account; despite my reservations. The next thing I saw was this:
I still don’t know what this service is or how it works, and I’m being asked to follow and spam on its behalf. My next action was to go de-authorize the service from my Twitter account.
I’ve used Geeklist as an example here, but that’s simply because they are the most recent example I’ve experienced and I thought to take screenshots along the way. They are certainly not alone in how they’ve chosen to set up their user registration flow.
I understand why services/apps want to request the permissions they do. I also understand why they may choose to exclusively use 3rd party authentication for registration and logging in. This understanding aside, I’m not OK with being forced to allow more access to the 3rd party account than I consider reasonable in exchange for being able to register.
I’m fine with a service asking for more permissions than I’m willing to grant, but I’d like to be able to check/uncheck those permissions as part of the OAuth process.
@alexkingorg +1! Finer grained permissions can only be a good thing. The intent of OAuth is to put the consumer in charge, and we aren’t
Hi Alex,
I’m in agreement with you about OAuth permissions. However, when I log-in, here via Twitter, to your comments the MailChimp SocialProxy app basically asks me to allow them access to the same items.
Does OAuth allow developers to specifically note which permissions are needed? My gut is that most developers simply ask for full permissions (whether they need it or not) to allow them future latitude should they need it.
@manifestphil You’re right, it looks like we’re asking for more than we need with Social. I’ll see if we can change that.
Hear, hear! OAuth is really convenient, but some sites want way too much access to your account. http://t.co/IuR0XfK1 (via @alexkingorg)
Could not agree more. Too many services are requesting the ability to spam your friends in the name of “viral” growth.
#OAuth needs partial authorizations choosable by the consumer: http://t.co/IjvSOlTL
Yup, I agree, but remember this is part of the business plan.
Same reason why you need to give so much access to play a game on facbook. Data is valuable. That’s the currency for the “free” game.
Or in the above case… spam advertising.
In web 1.0 it was illegal to force peoples computer resources to do so. In web 2.0, you have to use oauth, fb connect or other social network api’s.
This is why @mapalong only asks for read access when you reserve your username with Twitter. http://t.co/blF00Ikk
OAuth Needs Partial Authorization : alexking.org http://t.co/jgwpJcyz
Truth. @alexkingorg I’m not conceptually opposed to OAuth. The problem is these sites ask for too much access… http://t.co/M6tu1vKv
I totally agree with this: OAuth Needs Partial Authorization – http://t.co/HrYZc0pw
/via @alexkingorg (fixed link)
The problem here isn’t OAuth, the problem is Twitter not offering fine grained controls to either you or the OAuth consumer. The reason it looks like this app is requesting this much information is twitter only offers two levels:
– Can do everything except send/read DMs (the default)
– Can do everything (if the consuming app asks for it)
OAuth is just a protocol. Partial authorization isn’t a protocol thing, is an implementation thing at the provider end.
Please log this as a request over at Twitter, because I agree that their API should have more options.
Yes, this isn’t a great example for that reason. However I have yet to see any service/app allow me to select the permissions I am willing to accept as part of the OAuth process.
The permissions are defined by the requesting app, and I want the authorizing service to give me the option of what I allow. I’ve done limited OAuth transactions, but I haven’t seen any mechanism for the authorizing service to include the allowed permissions in the callback data.
If the spec allows it, no one that I’ve seen has implemented it.
[…] OAuth Needs Partial Authorization – as Alex King points out , many sites that let you log in using your Twitter, Facebook, or other accounts ask for too much access to your account. If I’m not going to use the service to post status updates, it shouldn’t require permission to post updates in my name. […]
Any Success in oauth-needs-partial-authorization?