On 9 May 2024, at 00:06, Sam Goto <g...@google.com> wrote:
> [...]
>
> I guess, flipping this around, we might ask what is the legitimate purpose
> for which browsers need to access the user’s name, email address (both
> requires) and other identifying information? I’d have thought an identifier
> (possibly randomised) and some user-supplied account nickname would be
> sufficient.
>
> That's easier to answer: the browser needs name/email/picture to construct an
> account chooser
> <https://docs.google.com/presentation/d/1iURrPakaHgBfQ6mAefKijjxToiTTgBSPz1rtaV0od98/edit#slide=id.p>,
> which is the UX that tested best with users by a far margin.
>
> Static/unpersonalized permission prompts - example
> <https://www.cookiestatus.com/images/content/storage-access-api.jpg> in
> Safari, example
> <https://developers.google.com/static/privacy-sandbox/assets/images/storage-access-api-permission-prompt.png>
> in Chrome - perform extremely poorly (in comparison to account choosers),
> although have other benefits too (namely ergonomics and extensibility), so
> Chrome (and others) expose that too in the form of the Storage Access API
> <https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API>.
>
Yeah, that's what I suspected. Did you do research that specifically called out
email addresses as a must-have?
PS - although this is an OAuth group, you may also want to look at things like
Dropbox's Chooser/Saver widgets (https://www.dropbox.com/developers/chooser
<https://www.dropbox.com/developers/chooser>), which provide fine-grained
permissions to access specific files/folders using a file dialog UX rather than
a redirect-based flow. I appreciate that may not be your initial focus, but one
for the "mood board" as it were...
-- Neil
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org