Hacker News new | ask | show | jobs
by cookrn 4600 days ago
I don't have too much specific feedback, but I know one thing that has irked me in the past (and irked users of services I've worked on) is when the OAuth permissions requested are very broad. For example, why request "write" access to a resource if you don't need it? In other words, ask for the bare minimum permissions from the user that your app may require to function.

What stack are you developing in? Maybe there's a solution like https://github.com/intridea/omniauth available that you could utilize if applicable.

Hope that's helpful and good luck :)
1 comments
bmelton 4600 days ago
Having written a couple of Github-based applications, Github permissions are fairly non-granular. My specific complaint with Github oAuth permissions is that if I want read access to private repositories (which I already feel guilty asking for, but genuinely need) I must also request write access (which I have completely no need for, and am uncomfortable having).

You're completely correct in that asking for unnecessary permissions is gauche, but with Github specifically, they make it nearly impossible to be a responsible custodian. It's quite bothersome, and to the extent that I've written an application that I think could have a moderate revenue stream if I released to the world, but I only use it for myself exclusively because I am that uncomfortable asking for write permissions on private repos that I don't need or want.

link
bstahlhood 4599 days ago
Yeah that is my problem too. GitHub seems like a natural fit for a B2D service, but the permissions is a problem. I don't want to piss of devs.
link
bmelton 4599 days ago
Pissing off devs is bad, but yeah, my main thing is that securing a website and database is hard enough, but fairly easy to mitigate.

If an attacker could gain write access to a customer's private repositories though, I feel like that would make an otherwise unattractive service far more of a target.

You're dead on though -- I've wanted to use Github oAuth for at least five different dev-oriented projects, but their permission system just makes it impossible.

link