I am comparing different 3rd party sign in services and I noticed one pretty annoying thing in twitter.
The Permission scopes are WAY too coarse.
as both developer and user I would neither want to give ALL my account data (except email and DMs, I know) to all sites nor deal with the burden of that data.
there should be in my opinion some scopes which allow for getting WAY less data than right now.
I would say there should be at least
-
a “sign in only” scope which ONLY returns a completely opaque pairwise ID, and some validation info, and most importantly, DOES NOT come with an access token, meaning, you can get the ID once, and once only.
-
a “basic profile” permission which contains just that. Display name, verified status, count of followers, friends and tweets (without listing those), location and description. (Location is not an issue imo since it’s a user-set string, which can be anything)
2 may be different, but 1 should REALLY be done. from the services I checked it is kind asad that Microsoft is the only service offering the option of only getting an opaque ID (well almost, but still a lot better than most)
