Page MenuHomePhabricator

Confirmation dialog for 'OAuth authenticate only (no api access)' right is not needed
Closed, DeclinedPublic

Description

Currently for a user to authorize with OAuth, with the application rights being set to 'authenticate only (no api access)' (this one: T88757), the user has to go through a confirmation screen. Is there any chance that this can be removed? All that this right gives the tool is the user's user ID/username, and all of the stuff that can be looked up from that (like edit count, registration time, etc.) It does not give any private info, such as the email address or realname. There is no need for this confirmation screen, it looks scary to new users as per T91825, T75062, T69082 and T598, and is unneeded because the tool cannot do anything under the user, and no private info is being transferred.

Event Timeline

Tgr added a subscriber: Tgr.

The ability to do an identity check without user consent would allow connecting IP addresses to usernames, and that's very private information. Knowing the username also makes phishing attacks easier.