On Thu, Feb 2, 2017 at 8:00 PM, Maximilian Doerr <maximilian.do...@gmail.com> wrote: > As long as the information isn't permanently stored, and the storage location > is secure, you can go ahead and do that, BUT such storage must be disclosed > to the user in a very visible manner, like a tool ToS, similar to what > https://tools.wmflabs.org/iabot/ does for first time use, that discloses what > it stores, why it's being stored, and how long it's being stored for, so > users can make an informed decision on whether or not to use your tool and if > they are comfortable with that condition.
Documenting how the tool works and what it stores are very good and reasonable things to do. However I would personally assume that the approval of the OAuth grant in the first place by the end user is consent to use the token. There is no contract, implied or otherwise, in the OAuth prompt that the grant of rights is limited to the scope of a single browser session. OAuth tokens are similar in concept to a valet key [0]. When a grant request is accepted you as the granting user are giving the requesting application the right and ability to perform any of the actions covered by the grant until such a time as the grant is revoked by you using Special:OAuthManageMyGrants [1] or the application itself has its rights revoked globally for some terms of service violation. That being said, tokens should not be stored without a reason and reasonable precautions should be taken to ensure that tokens are not exposed to other users of the application or 3rd-parties. [0]: https://en.wikipedia.org/wiki/Key_(lock)#Car_keys [1]: https://meta.wikimedia.org/wiki/Special:OAuthManageMyGrants Bryan -- Bryan Davis Wikimedia Foundation <bd...@wikimedia.org> [[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA irc: bd808 v:415.839.6885 x6855 _______________________________________________ Labs-l mailing list Labs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/labs-l