Short description of the issue
- Revoking access of application to Trakt API , eg clicking REVOKE ACCESS in
https://trakt.tv/oauth/authorized_applicationsrevokes real time access to API, but not disables ability of new authorizations.
Detailed description with additional context about the workflow
-
This is more of USABILITY issue, not SECURITY issue. I will directly name troubling application, but this does seem applicable to any external service.
-
STEP 01 : I connected Stremio with Trakt.
-
STEP 02 : Was not satisfied , so i visited
https://trakt.tv/oauth/authorized_applicationsand revoked access. -
STEP 03 : Clicking Trakt Scrobbling Authenticate in troubling application [Stremio] opens new tab in my browser, which automagically adds application back to
https://trakt.tv/oauth/authorized_applications. -
WHAT HAPPENS : ALL HAIL OAUTH web flows with ZERO user interactions bla bla super UI 100 % involvement rate.
-
WHAT SHOULD HAPPEN : Standard OAUTH screen with list of permissions and big red and green deny/allow buttons.
Screenshots and other visual aids
- Screenshots ? Extreme measures were taken to hide this UI flow from user, the heck of what screenshots you want?
Tag your post with new and/or classic, along with the platform (eg: iOS, android, web) to help us assist you faster.