The OAuth Complicit Flow
From IIW
Session Topic: "An Auth reqeust you can't refuse;" The OAuth Complicit Flow
Tuesday, 3C
Convener: Justin Richer
Notes-taker(s): Jason Cowley
Tags for the session - technology discussed/ideas considered: OAuth
- Applications tend to ask users for excessive permissions
- Users grant permissions without thinking
- Abuse of TOFU (trust on first use) model
Key problems
- Users don't really see permissions being requested (e.g. like a EULA that
user's never actually read)
- App developers tend to ask for as many permissions as they may ever need
Related Issues:
- Course grained vs. fine grained permissions
- course-grained results in less control, over-permissioning
- fine grained results in too much information (EULA type page that users don't read)
Goal: have apps ask for only the permissions they need when they need it
Additional Notes:
- Facebook allows users to de-select individual permissions, which does put some fine grained control back in the user's hands at authentication / authorization time
- Some kind of "progressive permissioning" model would be desirable,
without the need to re-auth the user
- Apps could get permissions as needed
- Ideally, minimal or no user inconvenience to grant additional permissions
- Could have classes of apps, or classes of permission sets that are vetted and shared
- Recipes of permissions that users create and share
- App store model (aka "walled garden") can rely on the app store to vet apps and reject apps that abuse permission