When I'm developing something that uses the API, something that's easy to forget is that my user has already granted access. It seems to me that once I've authorized a user, that user is authorized across the board. If I use a different browser/private window, I may still be redirected to the Oauth page but access is granted automatically and i often don't even see it. If I delete the zauth token from my localStorage, it's the same thing. My user has granted access and that's the end of that discussion.
A workaround it to create new users (and use another browser or a private browsing window). But this is tedious, and creates a whole bunch of test users whose sole purpose is to test the Oauth process. And yes I can go and delete those users, but I think it would be faster to be able to unset Oauth access via the admin. Then I can just keep using my main user.
That brings up the question: what if an actual end-user decides they want to revoke access? That would be unfortunate for us, but I feel a little like we're holding our users hostage when they grant access; our application won't work without it, and they have no way to opt out in the future.
Please sign in to leave a comment.