Saturday, June 1

OAuth forever

OAuth is a great way to share information between two systems without also sharing your username and password.
The only problem is that once you authorized an application to have access to your information it is very easy to forget that.
I've recently install a great iPhone app call Mailbox, after a while I've change my Gmail password to keep my account safe and I didn't remember that Mailbox use OAuth so I went to look where it keep my username and password, like the standard iPhone mail app does. I didn't find it off course so I wrote them a mail and they reply quickly that they use OAuth and they don't have nor need my password.

That's where this post really start, I went into my Google Account page, into Security and there in Connected applications and sites I press the Manage access button.
This brings up a very rough page with the title Authorized Access to your Google Account.
This page list all the websites (or web applications) that ask and granted access to my Google Account.
I had 61 authorized applications.

I suggest strongly to go into the connected application page and do a sweep and revoke any application you don't remember authorizing or don't use any more.

I also wish Google will take this more seriously and present all the information, like what type of information the access allows: mail, contacts, sending mail, etc.
I also wish this authorization will be time limited because in our dynamic world, companies change themselves or sale-themselves and the OAuth token remains which give a completely different entity access to our own private data.

No comments:

Post a Comment