Ask HN: Do you think this API authorization design is bad?

1 point

4 years ago

The scenario is an app that uses a tech giant's API to post messages.

+ The app's only feature is posting. No reading, searching, user profiles, or any other feature.

+ Users too just want it to post. We can assume many users don't want any apps - including this one - to routinely examine their user profiles, followers, or protected memberships on the platform.

+ However - and here's the problem IMO - the API's /post endpoint forces the app to have "read readuser post" scopes just to call this post-only API. ("Scopes" are OAuth terminology for broad permissions).

Why I think this is bad design:

+ The API fails to differentiate between external access and internal access. If the API's code needs to read profile data before posting, it's purely an internal implementation detail. There's no need to impose that requirement on all external apps even when they aren't interested in reading that data.

+ This is a leaky abstraction but with long-term privacy implications. Every posting app now has access to data it doesn't need or want. The app's vulnerabilities, breaches, or ownership transfers can potentially breach private data of thousands of users.

The OAuth philosophy normally assumes that apps have malicious intentions and it's on the platform to look out for the best interests of its users.

Ironically, here it's the API owner itself that's ignoring user privacy and the spirit of user consent. Perhaps an unintended consequence of innocuous technical decisions made by individual engineers who didn't realize their higher-level implications on society.

But I haven't done API design at that scale. I made this an Ask instead of Tell HN because I'd like to know:

1) Do you think this is poor API design? Or is there a Chesterton's Fence here that I'm overlooking that justifies the broader scopes?

2) If you think it's poor design, do you know of any online resources for authz best practices that you found useful?

3) Are there terms and phrases for such phenomena where innocuous decisions made at lower levels, perhaps under limited time and responsibilities, have wider and deeper implications?

----

The particular API I'm talking about (though I believe this may be a wider problem across most platforms): https://developer.twitter.com/en/docs/twitter-api/tweets/manage-tweets/api-reference/post-tweets