Interesting. A couple of possible issues (and of course I am speculating here):
1. Using OAuth for authentication (does LinkedIn support OIDC?) 2. Not asking for the minimum information needed (either by omission or by intent) I am really speculating now, but wonder if Slideshare didn’t actually want anything from LinkedIn, they just wanted to authenticate you. It may be that LinkedIn didn’t provide a scope and LinkedIn defaults this to “everything”. If true, this would seem to be a bad practice since it has the unintended consequence of defaulting to all scopes. The whole process failed to convert you into a user since your experience was bad and asked for inappropriate access. It would be interesting to find out more of the facts around this. Phil @independentid www.independentid.com [email protected] > On Jul 22, 2015, at 9:49 AM, Kathleen Moriarty > <[email protected]> wrote: > > Hey Barry, > > From my observations with Facebook, it now has options added for you to > select what resources from Facebook will get shared when authorizing access > to other applications. You can click on each of the possibilities and strip > it down. It appears to me that Facebook is managing that, so in your case, I > *think* (and am open to be corrected) that LinkedIn needs to do something > similar. Without those options, I also cancel out and just don't use the > other app. > > Thanks, > Kathleen > > On Wed, Jul 22, 2015 at 3:44 AM, Barry Leiba <[email protected] > <mailto:[email protected]>> wrote: > Yesterday, someone sent me a link to some presentation slides that > he'd posted to SlideShare. I looked at them, and wanted to download > them as a PDF. In order to let me do that, SlideShare wants me to log > in. It gives me the options to log in via LinkedIn or Facebook. As > I'm one of the three people in the world without a Facebook account, I > clicked "LinkedIn". That got me an OAuth authorization screen, image > attached. > > Now, I don't know if this is SlideShare's fault for asking for too > much, or LinkedIn's fault for not providing enough granularity for > requests, but just LOOK at that list of what I'd be giving SlideShare > access to. The first few make sense: read my profile (the whole thing > or pieces of it, including contact information). But... access to my > connections? I'm not sure they'd like my exposing their identities to > SlideShare. Access to my private messages? EDIT MY PROFILE? Srsly? > > Of course, this isn't the fault of the OAuth protocol, really (though > one might argue that there's not enough guidance provided). But, > really, with implementations like this, I have to wonder what they're > thinking. > > I clicked "Cancel", of course, and asked the slide creator to send me a PDF. > > Barry > > _______________________________________________ > OAuth mailing list > [email protected] <mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > > > > > -- > > Best regards, > Kathleen > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
