[Labs-l] Storing oauth tokens in a tool account

Maximilian Doerr maximilian.doerr at gmail.com
Fri Feb 3 03:32:25 UTC 2017 

My viewpoint is that tokens are considered private information, and it’s during the active browsing session is permitted without disclosure as the end-user is in control of connecting the application or not.  However, I consider the storing of these tokens for later use to be storing private data which by the ToS of labs, must be disclosed to the user.

Cyberpower678
English Wikipedia Account Creation Team
English Wikipedia Administrator
Global User Renamer

> On Feb 2, 2017, at 22:27, Bryan Davis <bd808 at wikimedia.org> wrote:
> 
> On Thu, Feb 2, 2017 at 8:00 PM, Maximilian Doerr
> <maximilian.doerr at gmail.com> wrote:
>> As long as the information isn't permanently stored, and the storage location is secure, you can go ahead and do that, BUT such storage must be disclosed to the user in a very visible manner, like a tool ToS, similar to what https://tools.wmflabs.org/iabot/ does for first time use, that discloses what it stores, why it's being stored, and how long it's being stored for, so users can make an informed decision on whether or not to use your tool and if they are comfortable with that condition.
> 
> Documenting how the tool works and what it stores are very good and
> reasonable things to do. However I would personally assume that the
> approval of the OAuth grant in the first place by the end user is
> consent to use the token. There is no contract, implied or otherwise,
> in the OAuth prompt that the grant of rights is limited to the scope
> of a single browser session. OAuth tokens are similar in concept to a
> valet key [0]. When a grant request is accepted you as the granting
> user are giving the requesting application the right and ability to
> perform any of the actions covered by the grant until such a time as
> the grant is revoked by you using Special:OAuthManageMyGrants [1] or
> the application itself has its rights revoked globally for some terms
> of service violation. That being said, tokens should not be stored
> without a reason and reasonable precautions should be taken to ensure
> that tokens are not exposed to other users of the application or
> 3rd-parties.
> 
> 
> [0]: https://en.wikipedia.org/wiki/Key_(lock)#Car_keys
> [1]: https://meta.wikimedia.org/wiki/Special:OAuthManageMyGrants
> 
> Bryan
> -- 
> Bryan Davis              Wikimedia Foundation    <bd808 at wikimedia.org>
> [[m:User:BDavis_(WMF)]]  Sr Software Engineer            Boise, ID USA
> irc: bd808                                        v:415.839.6885 x6855
> 
> _______________________________________________
> Labs-l mailing list
> Labs-l at lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/labs-l

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.wikimedia.org/pipermail/labs-l/attachments/20170202/d7d470bc/attachment-0001.html>

More information about the Labs-l mailing list