Page MenuHomePhabricator

Templates for owner-only OAuth consumers
Open, Needs TriagePublic


Creating an owner-only OAuth consumer is a developer task that needs to be performed by non-developers. This is suboptimal for both UX (the tool has to instruct the user which checkboxes to check etc) and for security (the OAuth consumer registration interface was not meant to make it easy to understand the security consequences of your choices; we have the authorization dialog for that). Also, owner-only apps completely circumvent admin review and might serve as a vehicle to trick the user into compromising their account.

Maybe we should rethink how owner-only apps work: require the tool developer to register a "master" consumer and get it through review the usual way, except there would be some kind of "owner-only template" flag which would prevent it to be used for actual authorization, and then creating a new owner-only consumer could happen with a flow similar to the authorization dialog, with a reference to the template, and would result in a new owner-only consumer which copies all settings from that template.