Consent screen refresh

Description

Discussions from mailing list to be refined into actual spec

 

Sander

Hi Krzysztof,

here is the mail for the improved consent screen. I talked with
different users about it and gather different feedback and suggestion,
and combined it to one new layout. I attached two pictures, one with
the hidden (consentscreen) details and one with all information
(consentscreen extended). Please do not care about the header and the
image artefacts in background. I only had an client with a logo on the
EUDAT instance.

I try to explain the changes below.

  • In SAML you wrote remote service and in OAuth you write remote
    client. Client is very technical and "normal" users do not know the
    difference. Please use in both cases the term remote service.

  • The sentence "A remote service/client has requested your
    authorization" is technically fine but not so fine in the sense of
    users. I adapted it to "The remote service NAME has asked for the
    following access to your personal data". Where Name is old space with
    the logo and the name. Having a logo in place is very nice. The
    suggested sentence is similar to the sentence like Github or ORCID use,
    so users are more familiar with it.

  • At the moment the focus of the consent screens seems to be the
    requested scopes because they are using a lot of space. My suggestion
    is a list of the description (names are to technical for the users)
    with some listing symbol. This is also used by other IdPs like Github.
    Please use the same font size like at the other fonts. There is no need
    for further highlighting. The surrounding box is fine.

  • Use only one List for the details instead of two, where the first
    contains only the identifier. The identifier can be listed together
    with the other attributes and you can use the long text as explanation,
    when you hover with the mouse over it.

  • The buttons for confirmation, rejection and login as another user are
    reordered. The acceptance button is more highlighted and the wording is
    changed to Authorise and Deny. This style and wording is used by other
    IdPs like ORCID or Github, too. So users already know it from other
    services and feel familiar with it. Maybe it is also possible to have
    only links instead of buttons for Deny and Login. Otherwise they might
    be to highlighted. I also changed the text to "Login as a different
    user". The feedback I got was that different sounds better than
    another.

  • I added another "drop down section" at the client name. Within this
    section is a short description about the service and the services URL.
    ORCID has this description, too and it is very nice to see some more
    information about the service instead the technical return URL. But the
    detailed information, including the URL, should not displayed directly.
    Most users do not care about them and otherwise the screen has to many
    information.

  • Because the arrows are quite small there could be a linked text Show
    more/less which triggers the expansion/collapse of the displayed
    information.

  • The sentence about the remembrance could be extended with a hint of
    the revocation in the users home. But the difficulty is that is should
    not to long and to technical.

  • I added a short sentence about not released credentials and
    information. I know there was one, but it should be shown every time
    and not only with the expanded list. And the wording attribute is
    technical stuff.

  • In the expanded attribute list, I replaced the checkboxes with
    sliders. The sliders are more modern instead of the checkboxes. Using
    the colours you can quite simple clarify the meaning. Gray is disabled,
    red is protected and green is released. I changed also the column label
    from hide to protect/expose.

  • If the attributes are single valued, there should be only one slider
    for the attribute itself instead one for the attribute and one for the
    value. Attributes without values should not released to the SPs. If an
    attribute has multiple values there should be one slider per value and
    one for the attribute which changes the slider of all values.

  • The textboxes should be expanded for the "column" length. At the
    moment there is a lot of unused space between the attribute values and
    the control panels. This will also simplify to see which control
    element belongs to which attribute/value.

  • The Gray out hided/protected attributes should be kept. I just did
    not copy it in the image.

  • The sentence about the consequences of hiding some attributes should
    be kept but without the technical wording of attribute.

I know this are a lot of changes and some of them might not be trivial
to implement. I also know that it is nearly impossible to generate a
layout and theme which everyone likes. I hope you can use this input.

KB:

First of all thanks for the  detailed description of the request, that's highly valuable.
 
In general I agree with majority of your points, and... I was thinking about even deeper changes. Below you can find what I'd still change, taking your proposal as a starting point:

  1. I think that the leading "The remote service" is not needed. "Remote service" is still very technical. Instead I'd just put: <APP-NAME>\n<LOGO>\n "has asked....". BTW note that you can modify all the strings (and remove client) already now, without any developments.

  2. In the expanded view of client: in Address I'd only put client's domain whenever client id is a URL (what is almost always true, except of some strangely configured SAML clients). Paths and URL schemes even are cryptic for most of the users, and anyway they won't know technical paths of OAuth/SAML service.

  3. I strongly believe that the whole block of "hiding" some attributes should be (a) configurable if exposed or not (b) by default turned off. That is super technical, often the attributes are very technical, and most often clients won't work without them. But I understand that in your case you want to keep this option, so when turned on, your suggestions are good.

  4. I have a problem defining the view on which you base on OAuth scopes, in case of SAML IdP. What to show then? Perhaps nothing as the only thing we can show is the list of attributes and identity.

  5. Presence of "Login as a different user" should be also configurable - for many services there is a strong assumption of a single account per user and then this doesn't make sense. Note: in future we should do even better, store in cookies info about other identities and allow to quickly choose.

  6. In expanded view with exposed data: I think that putting disabled switches makes no sense (just no switch) and "protect/expose" could be rather  just "expose".

  7. Details of client shown only if we have them defined, same for logo.
     

Done

Assignee

Krzysztof

Reporter

Krzysztof

Labels

Fix versions

Priority

Medium