Talk:OAuth app guidelines

Are there any guidelines to approving consumers on the Beta Cluster? I approve them sometimes, and generally don't worry too much because it's a beta environment and people can't do much damage. But there are a bunch pending at the moment from Outreachy applicants and a few are requesting rights likely beyond what they need (e.g. "Send email to other users"). @Tgr and Lucas Werkmeister as you've both approved consumers recently. I'm wondering if these applications should be rejected because they would be if made on Meta. Sam Wilson 02:51, 10 October 2023 (UTC)Reply

It would be nice to educate Outreachy applicants to not request grants they do not need, but I don't think there's much risk to granting them on Beta. "Send email" is risky because there's no way to tell it's being sent by an app and not the human who authorized the app, but there is not much phishing risk to emails from Beta. Tgr (WMF) (talk) 03:38, 10 October 2023 (UTC)Reply

@Tgr (WMF): Yes, that sounds sensible. I'll approve these, but try to reach out to them to let them know to be aware of what permissions they request. Sam Wilson 04:11, 10 October 2023 (UTC)Reply

No guidelines that I’m aware of. I sometimes approve them based more or less on gut feeling, but left this recent batch alone due to the large number of rights requested. Lucas Werkmeister (talk) 13:01, 10 October 2023 (UTC)Reply

@Lucas Werkmeister: I've been in touch with the Outreachy mentors for this lot, and they're going to tell the applicants to be more careful in future. All of the requests were for localhost callbacks, which I think also limits the damage that can be done here. Sam Wilson 02:36, 11 October 2023 (UTC)Reply