Currently for a user to authorize with OAuth, with the application rights being set to 'authenticate only (no api access)' (this one: T88757), the user has to go through a confirmation screen. Is there any chance that this can be removed? All that this right gives the tool is the user's user ID/username, and all of the stuff that can be looked up from that (like edit count, registration time, etc.) It does not give any private info, such as the email address or realname. There is no need for this confirmation screen, it looks scary to new users as per T91825, T75062, T69082 and T598, and is unneeded because the tool cannot do anything under the user, and no private info is being transferred.
Description
Description
Related Objects
Related Objects
- Mentioned Here
- T598: MediaWiki OAuth dialog text is unclear and sounds more scary than it is
T69082: Message describing OAuth activities is confusing to end user (in context of Wikidata Game)
T75062: OAuth permission screen needs redesign for better usability and comprehension
T88757: Add way for OAuth apps to only authenticate (no other valid rights)
T91825: Improve text of OAuth authorization dialog
Event Timeline
Comment Actions
The ability to do an identity check without user consent would allow connecting IP addresses to usernames, and that's very private information. Knowing the username also makes phishing attacks easier.
Comment Actions
(removed blockers, they were in the wrong direction and most of them not very relevant.)