The OAuth Complicit Flow

From IIW

Session Topic: "An Auth reqeust you can't refuse;" The OAuth Complicit Flow

Tuesday, 3C

Convener: Justin Richer

Notes-taker(s): Jason Cowley

Tags for the session - technology discussed/ideas considered: OAuth

  • Applications tend to ask users for excessive permissions
  • Users grant permissions without thinking
  • Abuse of TOFU (trust on first use) model

Key problems

  • Users don't really see permissions being requested (e.g. like a EULA that

user's never actually read)

  • App developers tend to ask for as many permissions as they may ever need

Related Issues:

  • Course grained vs. fine grained permissions
    • course-grained results in less control, over-permissioning
    • fine grained results in too much information (EULA type page that users don't read)

Goal: have apps ask for only the permissions they need when they need it

Additional Notes:

  • Facebook allows users to de-select individual permissions, which does put some fine grained control back in the user's hands at authentication / authorization time
  • Some kind of "progressive permissioning" model would be desirable,

without the need to re-auth the user

  • Apps could get permissions as needed
  • Ideally, minimal or no user inconvenience to grant additional permissions
  • Could have classes of apps, or classes of permission sets that are vetted and shared
  • Recipes of permissions that users create and share
  • App store model (aka "walled garden") can rely on the app store to vet apps and reject apps that abuse permission