search

PixelCrafters / StartupHealthCheck

StartupHealthCheck powers startup community hubs, including WeAreYVR.
http://startuphealthcheck.org
23 stars 7 forks source link

Auth0 Scope should request only authentication, not additional data #46

Open MarketFit opened 10 years ago

MarketFit commented 10 years ago

The call to Auth0 currently is:

<button onclick="widget.signin({ scope: 'openid profile' })" class="btn btn-primary" >Login</button>

This results in Auth0 requesting access to users' Tweets and Twitter followers, LinkedIn Profile information, and Google+ personal data. This is far more information than is required to support simple authentication. This request for additional data may lead users not to proceed, as they may not want Auth0 (or WeAreYVR) to have access to their personal data.

Fortunately, it looks as if we can request authentication only, without personal data access.

According to the Auth0 Docs, the following Scope parameters are available:

scope: 'openid': (default) It will return, not only the access_token, but also an id_token which is a Json Web Token (JWT). The JWT will only contain the user id (sub claim).
scope: 'openid profile': If you want the entire user profile to be part of the id_token.
scope: 'openid {attr1} {attr2} {attrN}': If you want only specific user's attributes to be part of the id_token (For example: scope: 'openid name email picture').

It looks like if we use the default scope: 'openid': rather than the current scope: 'openid profile': then we might get simple authentication rather than personal profile access. Worth testing to be sure...

bmann commented 10 years ago

Hi Alan --

Yeah, we definitely have to work with Auth0 on a bunch of things. We do need profile access to suck in people's avatar, I believe.

And, we actually DO want as much information as people are willing to give us, since it means people don't need to re-type information in.

Twitter doesn't have much -- just bio, avatar, a link, and a location.

MarketFit commented 10 years ago

Good point about needing to suck in the avatar (and potentially other info).

Still, the current request is for far more info than is required. And the approval is to give Auth0 (not WeAreYVR) the permission. Users may not know Auth0, and won’t know whether to trust Auth0 to not abuse the permission.

So keeping the requested permissions to the minimum necessary is probably the best approach — subject to API granularity.

Alan

On 2014-Jun-27, at 10:19 AM, Boris Mann notifications@github.com wrote:

Hi Alan --

Yeah, we definitely have to work with Auth0 on a bunch of things. We do need profile access to suck in people's avatar, I believe.

And, we actually DO want as much information as people are willing to give us, since it means people don't need to re-type information in.

Twitter doesn't have much -- just bio, avatar, a link, and a location.

— Reply to this email directly or view it on GitHub.