Monthly Archive for January, 2011

user management for oauth in firefox

by mixedpuppy on January 13, 2011 in mozilla. 0 Comments

Last week I worked on a little experiment around providing better user management over their OAuth permissions. There are a couple issues that I wanted to tackle, the first is how to better educate users around what it means to give OAuth access to a website, the second is how to provide users with an interface that allows them to easily see what sites have access to their data, and how they can manage that.

With the first issue, you can read my previous rant about Huffington Post linking their Twitter Follow button to OAuth, basically getting full access to users accounts on Twitter when users follow them through their site. My solution is partially inspired by the KnowMore extension which lets users know more about a companies behavior when they visit a site (e.g. this company is known to use child labor). I wanted to see if having a mechanism in Firefox that could be used to tell users more about what sites do with OAuth access to their accounts would be interesting. Right now it doesn’t really tell them anything beyond what the normal OAuth allow pages do, but it could.

In the image below, you can see I added a notification bar. This will appear anytime an OAuth authorization request is made.

The second issue is also a hard user problem. Users might give a lot of different sites access to different accounts (Facebook, Google, Twitter, etc.). It is non-obvious where a user can go to see what has access to their data. I added an about:oauth page (see below, yes it’s fugly right now) that shows what sites have access to what accounts (assuming they had this addon installed when they gave that access) and provides a link to the accounts revoke/manage page. Unfortunately I have to hard-code the revoke url since there is no discoverability for that.

Where could it go from here?

The notification bar could link to some user maintained pages that describe any abuses that sites might do, or it could simply point to a user education page that explains privacy issues around giving access to their account data.

We could work with organizations to get discoverability and api’s for OAuth token management and have a single point of management in the browser.

I supose it just depends on whether there are enough tin-foil hats in the room.

If you’re interested in the code, you can find it on github.

What I would change in OAuth

by mixedpuppy on January 5, 2011 in mozilla. 0 Comments

Now that I had my rant about the misuse of OAuth, I thought I’d mention a couple things that I think should be fixed in OAuth. I’m kind of skipping the “why” here, just to keep things short. And no, this doesn’t fix the problems from my rant, I’m not seeing how those issues can be fixed from a protocol perspective.

1. Enhance permissions via attribute exchange

OpenID has a couple extensions, Attribute Exchange and Simple Registration Extension. Adding a similar simple attribute exchange capability to OAuth would allow for finer permissions control. While OAuth 2 has added a scope for requesting permissions, it still lacks the ability to define required permissions and optional permissions, along with information as to what those permissions will be used for. A core/common set of social permissions should also be developed (e.g. write-wall). Oh, and please stop pretending that write access also means read access.

2. Add a ’3rd party authentication’ setting

It seems some sites are using OAuth in place of OpenID for having a way to authenticate users, usually due to wanting access to some account data/apis as well. I see plenty of confused comments around the two. Since it seems OAuth will get used this way, OAuth should just provide an authentication id like OpenID. It is a bit out of scope for OAuth, but really sites just want a “Connect with X” capability where they can authenticate a user and easily ask them for more information. OpenID+OAuth could be used as well, but it’s just more complexity.

Maybe what I really want is OpenID Connect

3. Better UI handling

Google at least supports a method to tell them what size/kind of UI you want for the OAuth authorization page, this should be a standard part of OAuth. Having done two systems already that attempt to put that into a dialog, it’s easy to see that every single site does something different enough to make the process awkward.

4. Management discovery

Ever try to revoke access to an application? Know where to start? Knowing and managing what access you have given to what applications/web sites should be easy for the user. That management aspect is not really a part of OAuth, but the discovery of the management URL should be defined in OAuth. I might go a step further, and say that sites implementing OAuth should also have an OAuth management api. Then it would be simple to provide a centralized management ui in a Firefox addon. It would also be nice to know what data has been retrieved by who.

Huffington Post: an example of social privacy problems

by mixedpuppy on January 5, 2011 in mozilla. 0 Comments

A few weeks ago I ran across an article (via some social site) on Huffington Post. I read articles there from time to time, and I thought, why not follow them on Twitter? I found the Twitter icon, clicked on it and got presented with a small dialog giving me a few options.

Well I don’t want to login to their site using Twitter, I click on the big Follow button. What happened next surprised me: I ended up on the Twitter OAuth page…that has a tantalizing big blue “Allow” button.

For those who may not know what OAuth is, put simply, it is a way to authorize one web site to access your data from another website without giving away your password. Generally the first web site will ask for certain kinds of access, such as posting to your wall (Facebook), reading your contacts, or accessing your profile information (e.g. email address, age, etc).

Despite Twitter saying they “take your privacy very seriously”, when you give Twitter OAuth access to a site, the web site gets access to everything in your Twitter account, including reading your direct messages (kind of like private messages between two Twitter users), the people you follow, and the people who follow you. Basically, a site using OAuth with Twitter can do everything you can do on Twitter, they are, in fact, YOU.

Well, I was a bit shocked that I was being asked for access to my Twitter account just so I could follow their tweets, it’s unnecessary. My next thought was, why do they want this access? Their login page really doesn’t explain or provide me a way to find out.

I looked at their privacy statement, no mention of Twitter, I looked at the user agreement, way too long and legalese to digest. I finally thought of looking in the FAQ, and while it doesn’t explicitly state what they will do with my Twitter account, I kind of figured it out (they’ll use my contacts to show them what I see on the site, and likewise to let me see what my contacts view).

Well, that’s kind of ok, if that was what I was trying to do, all I wanted was to follow their tweets. I wonder how many of their 785K followers gave them full access to their accounts.

Then I wondered about what they would get from other accounts. With Google they get my Gmail address and my contacts. With Yahoo!, they get access to my status, my updates, contacts and profile. I don’t even bother looking at what that get from Facebook, it would be too much.

All I wanted to do was follow their tweets.

Why is this a problem? Well, I do a bit of work with OAuth and OpenID and understand what can be obtained from using these. I think they are great technologies when used correctly. That’s the problem. When used incorrectly, typical non-technical users are not going to understand the implications. My hunch is that the typical user will give that access away without necessarily understanding what is happening.

Is the problem OAuth?

While there are problems that should be fixed in OAuth, the scenario above is not fixable by the OAuth protocol. The scenario above is an example of two organizations doing the wrong thing with the OAuth protocol. Twitter simply does not provide enough controls, tossing out the baby with the bathwater. Huffington Post appears to be attempting to gain subscribers by relying on the lack of understanding that the general population has around the technologies involved. Yes, given some knowledge and digging I feel like I know what will happen with my data; No, I don’t feel like either organization is Evil, just Wrong.

I decided not to follow Huffington Post and feel somewhat deflated.

sidenote: yes, a website may limit their access to only reading your twitter data, but that still gives access to all your data.