Recommendation for managing OAuth2 user consent

I went through RFC6749 to learn about OAuth2 but I found that the RFC didn’t talk much about how to store/manage the user consent at the authorization server. A common question when handling the user consent is that how long it should live: to have a defined TTL, per login session, or permanent until revoked explicitly.

I couldn’t find an answer for this when looking at several OAuth2 implementations such as Auth0, Google Identity Platform or Okta. Looks like each platform handles user consent in it own ways and there is no standard recommendation for it.

Does anyone has experience on this, or has any source of recommendation for managing OAuth2 user consent to be shared?

Thank you.

Practical use of O-card, or how to measure positive consent on the fly

I’m preparing to run the game of Bluebeard’s Bride with couple of players I don’t know very well. This game can be quite heavy on disturbing content, so I certainly plan to have X-card equivalent in game. At the same time, I have put clear indicatation of the theme and some of possible triggers in the pre-game blurb (it will be run on small convention dedicated purely to RPG games), so assumption is, that players will be willing to experience at least some of it and push their boundaries.

As it is single-session game, in predefined timeframe (5-6 hours total), there is a limit to how much pre-game ‘session 0’ research/questionnaires I can do. I also do not expect to have any contact with the players before the game itself.

I’m strongly considering having equivalent of O-card in addition to X-card. For people not familiar with the term, here is a definition from TTRPG Safety Toolkit

The O card can be used at any point if a participant wants to continue with the content. When the O card is used by tapping the card or typing an “O” in the chat, the group is ok to continue with the content. They can also regularly be prompted by a “O?” asked out loud or in the chat to check-in if everyone is still ok.

Let’s ignore online play part.

How does it work in practice with multiple players? X-card is simple – one players bails out, scene stops. But with O-card, is it enough that directly involved player taps a card to increase/follow the narration and rest can X-card it if they don’t agree? Can some other players use O-card, even if they are just listening atm? Or do we do quick vote, which can be quite awkard with 5 players and put a kind of peer pressure on last one not joining, which those techniques are meant to avoid?

With LARPs it is bit easier with red/yellow/green safety words, because

  • you often interact with just one person who can be affected by your actions
  • often you ask about physical interaction but you use verbal confirmation, which intrudes less into the flow

In TTRPGs, physical gesture on X-card provides same distinction between action (which is verbal) and safety mechanism (touch in this case) – verbal consent techniques would be more invasive.

Do you have any other, techniques for players to indicate consent for moving to ‘higher gear’ on-the-fly, which work with 5 players?

Is there any evidence for or against consent forms in game? [on hold]

The new hype this year seems to be consent forms for RPG Sessions. I’m all in on having a safe game, and keeping an eye open for players feeling bad during a game. Therefore, even my Kult sessions are tame because I don’t think that exploitation is a valid way to generate tension. But other people might have different experiences.

In my layman’s view, the consent forms seems to be at least not effective or at most being damaging. If someone is comfortable enough to make their triggers known in an impersonal form, a summary of the possible topics plus a conversation with each player prior to a particularly heavy setting should suffice for the GM that have some grasp of their players (this does not remove the responsibility of keeping and eye open DURING and AFTER the game for any inconveniences or problems).

And if someone ISN’T comfortable filling a form (peer pressure, unresolved traumas, lack of knowledge of what might trigger they, etc), then a session might end up abusing its theme because no one ticked that particular box in the form and the tension that the GM sees in the table they could assume is due to the setting and not something that is triggering a player.

I tried to find something to support or rebuke those ideas, but had no luck. So, if someone has any pointers in that direction, or has some formal training/experience in psychology and trauma, please, chime in.

Does ubuntu 18.04 delete files without my consent?

I installed Ubuntu 18.04 for development but it’s giving me countless frustrations. First I had to reinstall postgres because, for whatever reason, I logged in and it wasn’t working. Today I log in and my python virtual environment isn’t working – turns out the bin directory is somehow lost! I did what anyone would do: rm -r venv, create a new venv, and reinstall packages. Just as I thought all was done, ran into errors and figured my .env file had been deleted!

Has anyone else faced such issues? It’s driving me crazy!!!

Google Drive showing device data without my consent

I signed in three Google accounts on my android phone.

In Google account synchronization settings, I unchecked Google Drive so that no data from Google Drive server synced to phone and no data from the phone should be saved on Google Drive server.

However, when I open Google Drive, I see phone data on Google Drive. As I said, three Google accounts are signed in an Android phone. It is picking any account’s Google Drive randomly.

I uninstalled Google Drive and re-installed it.

However, I see the same issue.

Regards

TekQ

Google Drive showing device data without my consent

I signed in three Google accounts in my android phone.

In Google account synchronization settings, I un-checked Google Drive so that no data from Google Drive server synced to phone and no data from phone should be saved on Google Drive server.

However, when I open Google Drive, I see phone data in Google Drive. As I said, three Google accounts are signed in android phone. It is picking any account’s Google Drive randomly.

I uninstalled Google Drive and re-installed it.

However, I see same issue.

Regards TekQ

Android 7.0: can Android delete songs from internal storage without my consent?

I’ve just noticed that a lot of songs I had on my Leagoo T5c (Android Nougat) had disappeared. Namely, and among others, the whole discography by Sheryl Crow in FLAC format, all 5GB of it (I still have over 10GB of free space, BTW).

Has Android been known to randomly or purposely delete songs? Can those songs I ripped from CDs I had (and don’t have anymore, alas) have an expiry date?

I remember listening to those songs a few months ago, and I have done nothing on the phone that could explain them missing, like factory restore or anything of the kind, since then.

How to prevent fake OAuth consent screens?

I can’t find an answer to this simple question about delegated authorisation: When using a mobile app, how can a user be sure that a consent screen (let’s say Google or facebook) is a real one ? The app could fake the consent screen and get the user’s credential information when he tries to log in, no ?

On a web page, you can check the url in the consent screen page, and the padlock icon, but what if you just have a webview in a mobile app ?

Thanks for your help ! Edouard

Cookie consent message needed for web game high score?

I’m making an online word game and I want to use a cookie to store the user’s high score so it will always show it when they play the game, not just for the session. To comply with the EU GDPR do I need a cookie consent message for that? It will only be storing the high score, no name or email address or anything like that.