I seem to be missing the bigger picture and I would like to have some reassurance.
From what I’ve seen can one refresh an authorization indefinitely as long as one keeps receiving a refresh token and I don’t see where I as a user can put a stop to it.
So I was wondering if there is a way where I, as the end-user, can limit the time for how long an authorization can be refreshed?
Another question I have is if an authorization is bound to an originating IP address or if tokens can get passed around and be abused. What I do not want is to grant one application access, i.e. at www.shady-eve-app.com, and then find out another application uses it i.e. at www.selling-tokens-for-isks.com.
It is not obvious and it would be helpful as well as reassuring if one could get this information directly from https://login.eveonline.com/oauth/authorize?... at the login&password prompt. Users shouldn’t ever have to search or ask for this.
An option to limit the duration for a grant would also be very nice (i.e. 24h, 7days, 30days, indefinite). If an app isn’t quite what one was looking for can one forget about it, knowing they won’t have authorization indefinitely, but just for a day.
… Only by going to the link you gave me did I find out about an app I once granted access but had forgotten about it. It simply wasn’t the kind of app I was looking for at the time. Yet, the app still had access to my EVE data today and this wasn’t obvious.
Can my tokens be passed around and abused?
A refresh_token for an application can only be used by that application. It requires the application secret key to request new access_tokens.
An access_token can be used by anyone who holds it, but they only last 20 minutes.
If someone is passing around tokens against your wishes, they are breaking the developer agreement and you should report them. The developer agreement is there to stop “shady eve apps” from being allowed to do such things.
I am aware of the details. I just don’t know where users are being put into control. It’s then the refresh token, which has no time limit on it. An app can ask for a new access token with a refresh token, and at any time, and so extend access indefinitely.
If laws and rules prevented crimes then we wouldn’t have any. It’s about enabling the users to take control over it in a reasonable manner and also have them find out who, when and from where their data is being accessed from. It doesn’t need bad will by a 3rd party dev to abuse it, but a 3rd party site might also get hacked and client id and secret can get stolen.
I definitely would be happier with a few more tools at my disposal, while I also want users to be excited about 3rd party apps and have users granting these apps access to their data, but without over-complicating it for the users while still giving them a feeling of being in full control.
They’re being put in control at every step. You dont like what the app is requesting? Reject the auth request. Dont mind it? Confirm it. Like what the app offers and want to keep using it? Keep using it. Dont want to use the app anymore? Revoke the authorization.
Also, if a 3rd party site has been hacked and their client id:secret pilfered, it’s on that dev to contact the SSO team and get those replaced ASAP. They dont? They’re the ones subject to any punishment as a result of malicious use.
Dont feel like going through all your authorizations one at a time to revoke them? Change your password. Bulk revocation of authorizations in one go.
No, you’re not when you first have to search and ask for it. There is a very clear difference between being put in control and being left in the dark.
None of the 3rd party apps I have visited told me where I can revoke access nor does CCP on their authorization page. Nor do I want to change my password every time I feel the need to revoke an app’s access.
You’re not really trying to sell this as friendly or ideal, are you? So let’s not be ignorant.
If CCP would tell you at the login and password prompt about where and how you can undo your decision then you’re also being put in control. Until then are you just being asked to give your login and password.
It then wouldn’t take much for CCP to put a message under the login prompt saying:
Authorization is permanent until explicitly revoked at their web site.
A link to the web site where users can revoke access.