Hacker News new | past | comments | ask | show | jobs | submit login

OP is complaining, that the authorization is "all or nothing" and that the form looks quite similar to normal ordinary google sign-up window, and that the severity of the action is not proportional to the appearance. I guess.

And I agree with him. The fact that you are giving away a decade of correspondence should not be at the same size as "Yes, I agree with the server saving my cookies".




I think both parties are to blame here, that being Google and Fleep.

Google should make it much clearer in the OAuth flow that the scopes you are allowing could potentially allow the third party to download your entire history. Google aren't the only ones guilty of this. OAuth is built upon user trust and control of scopes. Don't hide them away in a "click for more information" dialog, make it clear right there that certain scopes are giving away much more information.

Fleep should not be importing my e-mail as part of the initial "signup with Google" flow. It should be a second step after i have got past the OAuth stage and they should make it clear that they will be importing my entire history from Google. A drive by import might be a "frictionless" user experience, but it can appear clandestine.

And for anyone else using OAuth, or clicking "signup with $foo" - always always always check the scopes you are allowing. Remove all but the essentials required for you to "sign in", that should only be your name/email address. If you can't limit the scopes then just signup the old fashioned way, your e-mail address and a unique password.


The third paragraph in your post describes the current flow of Fleep sign up, unless it was changed in the few hours between mborch's blog post and my running through the flow to see what happens. There is an OAuth request to use your Google identity, and a completely separate OAuth request to get access to your Gmail behind a "Now that you've joined Fleep, import your emails" dialog that Fleep generates.


> The third paragraph in your post describes the current flow of Fleep sign up

That's good. In that case either blog post is misleading or it has been changed in the hours since.

Edit: I see the original blog post has been updated with more information.


OP appears to have drawn an arbitrary line in the sand between authorizing an OAuth permissions request and being asked to provide a password, however. Which, unfortunately, indicates the OP's lack of understanding of why OAuth exists---why on Earth would it be better to give Fleep the password that unlocks one's entire Google account instead of just the relatively-narrow authorization to manipulate the user's email account?

I can sort of see the argument that email archives are an extra-special category that should require extra-special "Are you sure" confirmation. But I think that the OAuth question panel is intended to be that extra-special "Are you sure" confirmation in the first place. How many "Are you sure"s are necessary to prevent users from shooting themselves in the foot is a bit subjective.


I think OP is saying that Google's oauth2 screen should have asked him to provide a password, to confirm that this should happen.

I think I agree with OP. Remember click-jacking? Or cats jumping on keyboards?

I wouldn't want my entire gmail history[1] getting delivered to a third party because of one erroneous click.

1. My gmail history actually goes back further than ... what the hell. I imported 1999 era email into gmail years ago and now I can't find it. I am officially sidetracked! [UPDATE]: yeah, my email history goes back to BEFORE gmail launched, because I imported old emails. Early 2003, actually, not 1999... Dunno where those emails went.


How about just some bold red letters outlining permissions being given away without having to type "more info"? Specifically that you are giving access to all of your email, contacts, and the ability to delete your email.


I mean, why bother? People aren't going to read it anyway, regardless of font or size. ;)


That could be true of most people. I tend not to give permissions out and would read the whole thing. If I was feeling lazy though I can tell you I'd take notice of a red warning but, I can't speak for others.


I wonder if this is a good reason to NOT use your email provider as your authentication (OAuth) provider?




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: