Last week I worked on a little experiment around providing better user management over their OAuth permissions. There are a couple issues that I wanted to tackle, the first is how to better educate users around what it means to give OAuth access to a website, the second is how to provide users with an interface that allows them to easily see what sites have access to their data, and how they can manage that.
With the first issue, you can read my previous rant about Huffington Post linking their Twitter Follow button to OAuth, basically getting full access to users accounts on Twitter when users follow them through their site. My solution is partially inspired by the KnowMore extension which lets users know more about a companies behavior when they visit a site (e.g. this company is known to use child labor). I wanted to see if having a mechanism in Firefox that could be used to tell users more about what sites do with OAuth access to their accounts would be interesting. Right now it doesn’t really tell them anything beyond what the normal OAuth allow pages do, but it could.
The second issue is also a hard user problem. Users might give a lot of different sites access to different accounts (Facebook, Google, Twitter, etc.). It is non-obvious where a user can go to see what has access to their data. I added an about:oauth page (see below, yes it’s fugly right now) that shows what sites have access to what accounts (assuming they had this addon installed when they gave that access) and provides a link to the accounts revoke/manage page. Unfortunately I have to hard-code the revoke url since there is no discoverability for that.
Where could it go from here?
The notification bar could link to some user maintained pages that describe any abuses that sites might do, or it could simply point to a user education page that explains privacy issues around giving access to their account data.
We could work with organizations to get discoverability and api’s for OAuth token management and have a single point of management in the browser.
I supose it just depends on whether there are enough tin-foil hats in the room.
If you’re interested in the code, you can find it on github.