The OAuth Complicit Flow

Session Topic: "An Auth reqeust you can't refuse;" The OAuth Complicit Flow

Tuesday, 3C

Convener: Justin Richer

Notes-taker(s): Jason Cowley

'''Tags for the session - technology discussed/ideas considered: OAuth'''


 * Applications tend to ask users for excessive permissions
 * Users grant permissions without thinking
 * Abuse of TOFU (trust on first use) model

Key problems user's never actually read)
 * Users don't really see permissions being requested (e.g. like a EULA that
 * App developers tend to ask for as many permissions as they may ever need

Related Issues:
 * Course grained vs. fine grained permissions
 * course-grained results in less control, over-permissioning
 * fine grained results in too much information (EULA type page that users don't read)

Goal: have apps ask for only the permissions they need when they need it

Additional Notes: without the need to re-auth the user
 * Facebook allows users to de-select individual permissions, which does put some fine grained control back in the user's hands at authentication / authorization time
 * Some kind of "progressive permissioning" model would be desirable,
 * Apps could get permissions as needed
 * Ideally, minimal or no user inconvenience to grant additional permissions
 * Could have classes of apps, or classes of permission sets that are vetted and shared
 * Recipes of permissions that users create and share
 * App store model (aka "walled garden") can rely on the app store to vet apps and reject apps that abuse permission