[Feature Request] privacy-enabled permission scopes?



I am comparing different 3rd party sign in services and I noticed one pretty annoying thing in twitter.

The Permission scopes are WAY too coarse.

as both developer and user I would neither want to give ALL my account data (except email and DMs, I know) to all sites nor deal with the burden of that data.

there should be in my opinion some scopes which allow for getting WAY less data than right now.

I would say there should be at least

  1. a “sign in only” scope which ONLY returns a completely opaque pairwise ID, and some validation info, and most importantly, DOES NOT come with an access token, meaning, you can get the ID once, and once only.

  2. a “basic profile” permission which contains just that. Display name, verified status, count of followers, friends and tweets (without listing those), location and description. (Location is not an issue imo since it’s a user-set string, which can be anything)

2 may be different, but 1 should REALLY be done. from the services I checked it is kind asad that Microsoft is the only service offering the option of only getting an opaque ID (well almost, but still a lot better than most)


In all of these cases this would require OAuth2 implementation and that is not currently on the roadmap (but it is one of the most frequently-requested suggestions). This is a great idea, but would be a huge implementation effort. Keep an eye on the roadmap, but we’re not able to commit to such a wide-ranging change in the immediate future.


okay, although at least a bit more granular scope model should be made, would that interfere with OAuth1?

I mean the overly complicated signature generation makes the process secure but literally granting access to basically all the data is imo a bit much.

also privacy enhanced scopes could also be considered in the whole prompting over and over again annoyance, where someone who wont get any relevant data wouldnt need to re-authorize all the time.