[Labs-l] Storing oauth tokens in a tool account
Bryan Davis
bd808 at wikimedia.org
Fri Feb 3 03:27:36 UTC 2017
On Thu, Feb 2, 2017 at 8:00 PM, Maximilian Doerr
<maximilian.doerr at gmail.com> wrote:
> As long as the information isn't permanently stored, and the storage location is secure, you can go ahead and do that, BUT such storage must be disclosed to the user in a very visible manner, like a tool ToS, similar to what https://tools.wmflabs.org/iabot/ does for first time use, that discloses what it stores, why it's being stored, and how long it's being stored for, so users can make an informed decision on whether or not to use your tool and if they are comfortable with that condition.
Documenting how the tool works and what it stores are very good and
reasonable things to do. However I would personally assume that the
approval of the OAuth grant in the first place by the end user is
consent to use the token. There is no contract, implied or otherwise,
in the OAuth prompt that the grant of rights is limited to the scope
of a single browser session. OAuth tokens are similar in concept to a
valet key [0]. When a grant request is accepted you as the granting
user are giving the requesting application the right and ability to
perform any of the actions covered by the grant until such a time as
the grant is revoked by you using Special:OAuthManageMyGrants [1] or
the application itself has its rights revoked globally for some terms
of service violation. That being said, tokens should not be stored
without a reason and reasonable precautions should be taken to ensure
that tokens are not exposed to other users of the application or
3rd-parties.
[0]: https://en.wikipedia.org/wiki/Key_(lock)#Car_keys
[1]: https://meta.wikimedia.org/wiki/Special:OAuthManageMyGrants
Bryan
--
Bryan Davis Wikimedia Foundation <bd808 at wikimedia.org>
[[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA
irc: bd808 v:415.839.6885 x6855
More information about the Labs-l
mailing list