Personal tools

Authorize

From Social Patterns

Jump to: navigation, search

Contents

Problem Summary

The user wants to participate on a site by bringing their data and files over from another site.


Example

Flickr's Allow Access screen on Facebook
Authorization screen lets the my Flickr application access profile information on Facebook.

Flickr authenticate authorization screen on Facebook
Authentication screen from My Flickr Facebook Application to read from flickr.com account.

Screen on Flickr's side giving the user the ability to allow the accounts to link together
Flickr’s Authorization screen giving third party read access to data in the flickr account. Allowing the access, lets flickr pictures from my flickr stream show up in a Facebook application on my Facebook profile.


Use When

  • Use this pattern when features on your site are enhanced or filled in by accessing data and files from another site (Site A).
  • Use this pattern when user generated content or data on your site has the potential to enhance or enable other sites that your users may be participating in (Site B).


Solution

  • For Site A:
    • Before automatically using the Password Anti-Pattern (see pattern) to access a user’s data, check to see if the other site is using Oauth. If so, tap into that protocol to facilitate the data transaction.
    • Site A should ask the user what data they would like to access.
    • Show possible choices, like flickr, photobucket, smugmug, etc for photos or Yahoo! Address Book, Plaxo, Google, etc. for contacts.
    • Once the user selects the site where their data lives, Site A should send the user to that site to grant access.
    • Information about how the data will be used should be presented on Site A.
  • For Site B:
    • Use the open authentication protocol, Oauth, to facilitate the authorization process.
    • Site A will send their user to Site B. The user signs into the account and Site B should present a screen that asks if they really want to share the data with Site A.
    • Upon agreement, the user is sent back to Site A and the data is now available in that experience.
    • Information about how Site A will use the permissions granted should be clearly presented to the user on Site B.
    • Allow the user to cancel the authorization at any point.
    • Provide an easy way for the user to revoke permissions from Site A.


Rationale

Using an authorization flow and protocol like Oauth, allows a user to give access between sites without exposing their user name and password. This process is the preferred method of allowing data sharing rather than using the Password Anti-Pattern.


Related Patterns

Password Anti-Pattern


As Seen On