Wow, that's the very opposite of Privacy by Design/Default recommendation.
2015-07-22 11:06 GMT+02:00 Justin Richer <jric...@mit.edu>: > According to the LinkedIn docs, that means they get all the scopes that > they registered for. > > — Justin > > On Jul 22, 2015, at 10:59 AM, Maciej Machulak <maciej.machu...@gmail.com> > wrote: > > It seems that they don't ask for scopes. > > The parameter is left blank: scope= > > Kind regards, > Maciej > > On 22 July 2015 at 10:26, Phil Hunt <phil.h...@oracle.com> wrote: > >> Do they explicitly ask for those scopes? Or do they leave scope to >> default that way. >> >> Phil >> >> On Jul 22, 2015, at 10:22, Justin Richer <jric...@mit.edu> wrote: >> >> This is a pretty clear case of SlideShare trying to grab too much. The >> LinkedIn API (which is their own proprietary thing, not OpenID Connect) >> does separate all the permissions into different scopes. However, the >> SlideShare app is asking for all of them, and LinkedIn doesn’t let you >> uncheck any boxes on the authorization screen. >> >> FWIW, the reason they want write access to your profile is to >> automatically add new SlideShare presentations that you upload to your >> LinkedIn profile page. You should still have the option of turning that >> off, or of turning on that functionality later. >> >> — Justin >> >> On Jul 22, 2015, at 9:49 AM, Kathleen Moriarty < >> kathleen.moriarty.i...@gmail.com> wrote: >> >> Hey Barry, >> >> From my observations with Facebook, it now has options added for you to >> select what resources from Facebook will get shared when authorizing access >> to other applications. You can click on each of the possibilities and >> strip it down. It appears to me that Facebook is managing that, so in your >> case, I *think* (and am open to be corrected) that LinkedIn needs to do >> something similar. Without those options, I also cancel out and just don't >> use the other app. >> >> Thanks, >> Kathleen >> >> On Wed, Jul 22, 2015 at 3:44 AM, Barry Leiba <barryle...@computer.org> >> wrote: >> >>> Yesterday, someone sent me a link to some presentation slides that >>> he'd posted to SlideShare. I looked at them, and wanted to download >>> them as a PDF. In order to let me do that, SlideShare wants me to log >>> in. It gives me the options to log in via LinkedIn or Facebook. As >>> I'm one of the three people in the world without a Facebook account, I >>> clicked "LinkedIn". That got me an OAuth authorization screen, image >>> attached. >>> >>> Now, I don't know if this is SlideShare's fault for asking for too >>> much, or LinkedIn's fault for not providing enough granularity for >>> requests, but just LOOK at that list of what I'd be giving SlideShare >>> access to. The first few make sense: read my profile (the whole thing >>> or pieces of it, including contact information). But... access to my >>> connections? I'm not sure they'd like my exposing their identities to >>> SlideShare. Access to my private messages? EDIT MY PROFILE? Srsly? >>> >>> Of course, this isn't the fault of the OAuth protocol, really (though >>> one might argue that there's not enough guidance provided). But, >>> really, with implementations like this, I have to wonder what they're >>> thinking. >>> >>> I clicked "Cancel", of course, and asked the slide creator to send me a >>> PDF. >>> >>> Barry >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >> >> >> -- >> >> Best regards, >> Kathleen >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > > > -- > Maciej Machulak > email: maciej.machu...@gmail.com > mobile: +44 7999 606 767 (UK) > mobile: +48 602 45 31 66 (PL) > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
