[qwerty456127]

As a user I don't really care about the way they build it. I care about the spec to deny them forcing me to disclose the data.

I once tried to sign-up with Google an it asked me to allow (with no option to deny but continue) to share my specific personal details. I've cancelled and never used this technology ever since. I didn't have to specify the same details (which Google was going to share) when signing-up with an e-mail address.

The spec should discourage sharing details beyond necessary, prevent any details from being shared silently and ensure user can always deny and continue.

[magicalhippo]

But there's nothing in the spec that requires you to disclose that data to begin with.

And there's nothing they could write in the spec to deny that besides a perfunctory "please don't do that" which companies could ignore without consequence.

[fuzzy2]

Sure they could. What you allow or deny would be enforced by the identity provider. The relying party simple would not receive the data and could not access it.

However, that’s really about OpenID, not about OAuth.

[freeone3000]

These are treated as permissions in the AAD OAuth model. Your issue seems to be with the Google and Facebook implementations, not the spec.

[qwerty456127]

The spec could say something like "a client may ask for extended information but can't demand it unconditionally and must gracefully handle situations when access to particular fields is denied".

[BHSPitMonkey]

But that's already possible, right?

The problem is that you can't make _everything_ optional, or else the user can deny everything and the application then has to tell the user "You denied X, but we really need it to proceed. Try again...", which is a definitively worse experience than having the grant request say "here's what this app is asking for".

[freeone3000]

This is anticipated by scope requested by the client being able to be ignored by the authorization server. This appears in the AAD flow for the user as a list of toggles. The application has to handle the case where the scope is less than what is listed - this is all in section 3.2. Actually defining what data or permissions is bound to what scope is rightfully beyond the goals of the specification.

[muyuu]

OAuth does what you want, but also does what you don't want.

This is like Android allowing apps to ask for permissions they don't "need" because, well surveillance and user data brokerage is the business model that most are info and the reason many apps are "free" or "cheap" in the first place, crowding out more honest business models.

Maybe there could be an initiative for apps and sites without predatory practices, like "apps/webs needing no personal info from you"