On 9 May 2024, at 00:06, Sam Goto <g...@google.com> wrote:
> [...]
> 
> I guess, flipping this around, we might ask what is the legitimate purpose 
> for which browsers need to access the user’s name, email address (both 
> requires) and other identifying information? I’d have thought an identifier 
> (possibly randomised) and some user-supplied account nickname would be 
> sufficient.
> 
> That's easier to answer: the browser needs name/email/picture to construct an 
> account chooser 
> <https://docs.google.com/presentation/d/1iURrPakaHgBfQ6mAefKijjxToiTTgBSPz1rtaV0od98/edit#slide=id.p>,
>  which is the UX that tested best with users by a far margin. 
> 
> Static/unpersonalized permission prompts - example 
> <https://www.cookiestatus.com/images/content/storage-access-api.jpg> in 
> Safari, example 
> <https://developers.google.com/static/privacy-sandbox/assets/images/storage-access-api-permission-prompt.png>
>  in Chrome - perform extremely poorly (in comparison to account choosers), 
> although have other benefits too (namely ergonomics and extensibility), so 
> Chrome (and others) expose that too in the form of the Storage Access API 
> <https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API>.
>  

Yeah, that's what I suspected. Did you do research that specifically called out 
email addresses as a must-have?

PS - although this is an OAuth group, you may also want to look at things like 
Dropbox's Chooser/Saver widgets (https://www.dropbox.com/developers/chooser 
<https://www.dropbox.com/developers/chooser>), which provide fine-grained 
permissions to access specific files/folders using a file dialog UX rather than 
a redirect-based flow. I appreciate that may not be your initial focus, but one 
for the "mood board" as it were...

-- Neil
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org

Reply via email to