Skip to content
This repository has been archived by the owner on Mar 24, 2020. It is now read-only.

Auth0 Scope should request only authentication, not additional data #46

Open
MarketFit opened this issue Jun 26, 2014 · 2 comments
Open

Auth0 Scope should request only authentication, not additional data #46

MarketFit opened this issue Jun 26, 2014 · 2 comments

Comments

@MarketFit
Copy link

The call to Auth0 currently is:

<button onclick="widget.signin({ scope: 'openid profile' })" class="btn btn-primary" >Login</button>

This results in Auth0 requesting access to users' Tweets and Twitter followers, LinkedIn Profile information, and Google+ personal data. This is far more information than is required to support simple authentication. This request for additional data may lead users not to proceed, as they may not want Auth0 (or WeAreYVR) to have access to their personal data.

Fortunately, it looks as if we can request authentication only, without personal data access.

According to the Auth0 Docs, the following Scope parameters are available:

scope: 'openid': (default) It will return, not only the access_token, but also an id_token which is a Json Web Token (JWT). The JWT will only contain the user id (sub claim).
scope: 'openid profile': If you want the entire user profile to be part of the id_token.
scope: 'openid {attr1} {attr2} {attrN}': If you want only specific user's attributes to be part of the id_token (For example: scope: 'openid name email picture').

It looks like if we use the default
scope: 'openid':
rather than the current
scope: 'openid profile':
then we might get simple authentication rather than personal profile access. Worth testing to be sure...
@bmann
Copy link
Member

bmann commented Jun 27, 2014

Hi Alan --

Yeah, we definitely have to work with Auth0 on a bunch of things. We do need profile access to suck in people's avatar, I believe.

And, we actually DO want as much information as people are willing to give us, since it means people don't need to re-type information in.

Twitter doesn't have much -- just bio, avatar, a link, and a location.

@MarketFit
Copy link
Author

Good point about needing to suck in the avatar (and potentially other info).

Still, the current request is for far more info than is required. And the approval is to give Auth0 (not WeAreYVR) the permission. Users may not know Auth0, and won’t know whether to trust Auth0 to not abuse the permission.

So keeping the requested permissions to the minimum necessary is probably the best approach — subject to API granularity.

Alan

On 2014-Jun-27, at 10:19 AM, Boris Mann notifications@github.com wrote:

Hi Alan --

Yeah, we definitely have to work with Auth0 on a bunch of things. We do need profile access to suck in people's avatar, I believe.

And, we actually DO want as much information as people are willing to give us, since it means people don't need to re-type information in.

Twitter doesn't have much -- just bio, avatar, a link, and a location.


Reply to this email directly or view it on GitHub.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bmann @MarketFit