On the authorization form in the front end ( http http://devsandbox.orcid.org/oauth/authorize), only the "Authorize" and "Deny" buttons are shown with no explanation at all. Therefore the user has no way of knowing what he is about to authorize. In other words, the authz form is missing a human-readable definition corresponding with the OAuth scope being requested.
Example from "the wild": Twitter shows me the following when I try to sign in on http://lanyard.com with my Twitter ID. Usefully, I am informed what the app will NOT be permitted to do:
Authorize Lanyrd.com to use your account?
This application will be able to:
Read Tweets from your timeline.
See who you follow, and follow new people.
Update your profile.
Post Tweets for you.
[Sign in & approve button] [Cancel button]
This application will NOT be able to:
Access your direct messages.
See your Twitter password.
On the authorization form in the front end (
http http://devsandbox.orcid.org/oauth/authorize), only the "Authorize" and "Deny" buttons are shown with no explanation at all. Therefore the user has no way of knowing what he is about to authorize. In other words, the authz form is missing a human-readable definition corresponding with the OAuth scope being requested.Example from "the wild": Twitter shows me the following when I try to sign in on http://lanyard.com with my Twitter ID. Usefully, I am informed what the app will NOT be permitted to do: