[Labs-l] Storing oauth tokens in a tool account
Sam Wilson
sam at samwilson.id.au
Fri Feb 3 03:48:37 UTC 2017
I will add a link and instructions about revoking the tool from user's
authorized applications.
On Fri, 3 Feb 2017, at 11:32 AM, Maximilian Doerr wrote:
> My viewpoint is that tokens are considered private information, and
> it’s during the active browsing session is permitted without
> disclosure as the end-user is in control of connecting the application
> or not. However, I consider the storing of these tokens for later use
> to be storing private data which by the ToS of labs, must be disclosed
> to the user.
>
> Cyberpower678
> English Wikipedia Account Creation Team
> English Wikipedia Administrator
> Global User Renamer
>
>> On Feb 2, 2017, at 22:27, Bryan Davis <bd808 at wikimedia.org> wrote:
>>
>> On Thu, Feb 2, 2017 at 8:00 PM, Maximilian Doerr
>> <maximilian.doerr at gmail.com> wrote:
>>> As long as the information isn't permanently stored, and the storage
>>> location is secure, you can go ahead and do that, BUT such storage
>>> must be disclosed to the user in a very visible manner, like a tool
>>> ToS, similar to what https://tools.wmflabs.org/iabot/ does for first
>>> time use, that discloses what it stores, why it's being stored, and
>>> how long it's being stored for, so users can make an informed
>>> decision on whether or not to use your tool and if they are
>>> comfortable with that condition.
>>
>> Documenting how the tool works and what it stores are very good and
>> reasonable things to do. However I would personally assume that the
>> approval of the OAuth grant in the first place by the end user is
>> consent to use the token. There is no contract, implied or otherwise,
>> in the OAuth prompt that the grant of rights is limited to the scope
>> of a single browser session. OAuth tokens are similar in concept to a
>> valet key [0]. When a grant request is accepted you as the granting
>> user are giving the requesting application the right and ability to
>> perform any of the actions covered by the grant until such a time as
>> the grant is revoked by you using Special:OAuthManageMyGrants [1] or
>> the application itself has its rights revoked globally for some terms
>> of service violation. That being said, tokens should not be stored
>> without a reason and reasonable precautions should be taken to ensure
>> that tokens are not exposed to other users of the application or
>> 3rd-parties.
>>
>>
>> [0]: https://en.wikipedia.org/wiki/Key_(lock)#Car_keys
>> [1]: https://meta.wikimedia.org/wiki/Special:OAuthManageMyGrants
>>
>> Bryan
>> --
>> Bryan Davis Wikimedia Foundation
>> <bd808 at wikimedia.org>
>> [[m:User:BDavis_(WMF)]] Sr Software Engineer
>> Boise, ID USA
>> irc: bd808
>> v:415.839.6885 x6855
>>
>> _______________________________________________
>> Labs-l mailing list
>> Labs-l at lists.wikimedia.org
>> https://lists.wikimedia.org/mailman/listinfo/labs-l
> _________________________________________________
> Labs-l mailing list
> Labs-l at lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/labs-l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.wikimedia.org/pipermail/labs-l/attachments/20170203/bfa5da6a/attachment.html>
More information about the Labs-l
mailing list