undefined | Better HN

0 pointsLockyy12y ago0 comments

I'm working with OAuth right now and the only info that I'm not being given that I have to ask for is an email address when the user uses twitter. Twitter doesn't give you an email address, and you cannot ask for it, so the only option is to ask for it. Which makes things harder on my end. It really feels redundant and makes me wonder what the Twitter team was thinking.

0 comments

6 comments · 1 top-level

cessor12y ago· 5 in thread

As a user of these services I can stay that I am very happy about this *(I didn't know, but somebody here on hn claimed github auth did the same thing). This is exactly how it should work. What on earth is your excuse to really need my email address? I am sorry if I sound rude, but this behavior enrages me somewhat.

If you wish to track data that is connected to my identity, i.e. provide continuity in your service, store some stuff that I made, settings, preferences, you don't need my email address.

If you really wish to communicate: Talk to me on twitter, it's nearly public! With oauth you receive a token as a representation of my identity, not my email address. If you really need an email address - then why do you need oauth?

If I go to a store to just browse through the shelves I don't have to give the clerk my telefone number. Why would he need it anyway? To annoy me every once in a while and bully me into visiting his store, which I voluntarily entered in the first place?

Here is a positive example: - Go to iron.io - Log in with your twitter account - Nothing happens: You can use the app and they show you around pretty nicely.

Yet Iron provides a service upgrade, which requires credit information. They ask for it, specificly when they need it: When you want more from their service. In that case you have to provide them with the info.

This is how websites could handle this issue. Log in with oauth. If you REALLY personally need to contact me, then you can ask me later. Not upon login or to distinguish me from other people or provide continuity.

Emails are communication handles. They shouldn't be a poor man's surrogate database primary key.

I remain very curious: What does _your_ service need my email address for?

LockyyOP12y ago

A user deletes their Facebook or Twitter account. I don't have their email address. They try to login and can't. They have to now email me and prove to me which account is theirs so I can reset the password, give it an email and let them regain access. The account may be a free account but it can still contain data a user wouldn't want to lose. Ensuring from the get go that they can recover their data just makes things easier.

Regardless of how legitimate you think my usage of email addresses is the inability to even ask for it _is_ a downside. For those use cases that do require it immediately you now have a system where the user clicks the 'Login without filling in a form' button and gets thrown to a form anyway, which is exactly what we were trying to avoid.

moron4hire12y ago

This is called "over-optimizing for low-likelihood scenarios".

1 more reply

cessor12y ago

I see, you are asking for the email address, so that people can unlock their account in case they delete their oauth token provider (i.e. their tw/fb account), did I understand that correctly?

But do you have to do this whenever a completely new user tries to access the website? Is setting up an alternative access method not a very different concern?

billiamram12y ago

Similar to how google asks for a phone number eventually as a back up convenience in case you get locked out, would dong the same with email make sense? That seems like it would build trust and give the user control over their own risk.

mreiland12y ago

you could ask for a unique identifier that isn't an email address.

j / k navigate · click thread line to collapse