Page MenuHomePhabricator

Preference to give a OAuth Application the permissions only once
Closed, DuplicatePublic

Description

I think it would be useful, that a OAuth application requires a confirmation only once, for example: When I'm using crosswatch, every time I login, the OAuth tool asks me for "viewmywatchlist" and "editwatchlist". I my opinion it would be useful, that, if the permissions that this appication needs, don't change, I only have to allow this tool one time to get my data, so I can login next times without confirmation.

Event Timeline

Luke081515 raised the priority of this task from to Needs Triage.
Luke081515 updated the task description. (Show Details)
Luke081515 added a subscriber: Luke081515.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 16 2015, 3:45 PM
Luke081515 set Security to None.Aug 16 2015, 3:46 PM
Sitic added a subscriber: Sitic.Aug 16 2015, 4:50 PM

See also T91801: Support a more user friendly "re-authentication" flow for returning users:

What's the point of having a "reauthorization" form if nothing about the consumer has changed (assuming valid request token and no revoked grants)? I wouldn't expect a user to click on "Login" on a tool in order to then revoke the authorization. If I wanted to revoke authorization for an app, the intuitive way for me would be to search for connected apps in the settings on my favorite wiki.
I would suggest to go straightaway to the callback and not show any form, it seems to me that many large oauth service providers do it this way.