search

stencila / hub

☸️ Hub for executable documents
https://hub.stenci.la
Apache License 2.0
31 stars 4 forks source link

OAuth scopes when signing in using Google #893

Open nokome opened 3 years ago

nokome commented 3 years ago

A number of users have, not surprisingly, been disconcerted by the permissions that we request when they sign-in with Google. Personally, if I was just wanting to try out the tool, I don't think I would agree to these:

image

And when one clicks on the "info" icon next to Drive for example:

image

There are a couple of potential approaches to avoiding users bailing out at this step.

1. Reduced requested scopes

Currently, we request the following scopes for users authenticating with Google:

https://github.com/stencila/hub/blob/3317d6522ed903ca8704885646f2116eed437790/manager/manager/settings.py#L291-L298

Instead of using the scope https://www.googleapis.com/auth/drive we could maybe use https://www.googleapis.com/auth/drive.file which allows "View and manage Google Drive files and folders that you have opened or created with this app". Note that this scope is also listed under Google Docs and Sheets scopes so may suffice as a single replacement to the three scopes we are currently requesting. My only hesitation with this is what "have opened" means - but we can test that (see below).

The permissions screen would then have the following:

image

image

We should find the minimum scope that allows the following existing functionality:

2. Explain why scopes are requested

Even with reduced scopes it may be worth explaining in more detail why we are requesting the scopes and what they allow us to do and not to do. This could be done on an intermediate page before the user gets redirected to Google.

3. Implement different scopes for signin and integrations

For users that just want to be able to signin with Google we could simply ask for the profile and email scopes. Then, later, if the user wanted to use integrations with Google Docs etc we could ask for additional permissions. This could be tricky to implement, and would introduce more friction for the user. Could be done if we see evidence / get feedback that users are still baulking at the reduced permissions.

nokome commented 3 years ago

After some research and experimentation it appears that the "have opened" in "have opened or created with this app" can be achieved using the Google Picker API which allows use to explicitly "open" a file on Google drive using an app. See https://stackoverflow.com/questions/61347230/accessing-manually-added-files-on-google-drive-using-google-drive-api