Consent screen refresh
Discussions from mailing list to be refined into actual spec
here is the mail for the improved consent screen. I talked with
different users about it and gather different feedback and suggestion,
and combined it to one new layout. I attached two pictures, one with
the hidden (consentscreen) details and one with all information
(consentscreen extended). Please do not care about the header and the
image artefacts in background. I only had an client with a logo on the
I try to explain the changes below.
In SAML you wrote remote service and in OAuth you write remote
client. Client is very technical and "normal" users do not know the
difference. Please use in both cases the term remote service.
The sentence "A remote service/client has requested your
authorization" is technically fine but not so fine in the sense of
users. I adapted it to "The remote service NAME has asked for the
following access to your personal data". Where Name is old space with
the logo and the name. Having a logo in place is very nice. The
suggested sentence is similar to the sentence like Github or ORCID use,
so users are more familiar with it.
At the moment the focus of the consent screens seems to be the
requested scopes because they are using a lot of space. My suggestion
is a list of the description (names are to technical for the users)
with some listing symbol. This is also used by other IdPs like Github.
Please use the same font size like at the other fonts. There is no need
for further highlighting. The surrounding box is fine.
Use only one List for the details instead of two, where the first
contains only the identifier. The identifier can be listed together
with the other attributes and you can use the long text as explanation,
when you hover with the mouse over it.
The buttons for confirmation, rejection and login as another user are
reordered. The acceptance button is more highlighted and the wording is
changed to Authorise and Deny. This style and wording is used by other
IdPs like ORCID or Github, too. So users already know it from other
services and feel familiar with it. Maybe it is also possible to have
only links instead of buttons for Deny and Login. Otherwise they might
be to highlighted. I also changed the text to "Login as a different
user". The feedback I got was that different sounds better than
I added another "drop down section" at the client name. Within this
section is a short description about the service and the services URL.
ORCID has this description, too and it is very nice to see some more
information about the service instead the technical return URL. But the
detailed information, including the URL, should not displayed directly.
Most users do not care about them and otherwise the screen has to many
Because the arrows are quite small there could be a linked text Show
more/less which triggers the expansion/collapse of the displayed
The sentence about the remembrance could be extended with a hint of
the revocation in the users home. But the difficulty is that is should
not to long and to technical.
I added a short sentence about not released credentials and
information. I know there was one, but it should be shown every time
and not only with the expanded list. And the wording attribute is
In the expanded attribute list, I replaced the checkboxes with
sliders. The sliders are more modern instead of the checkboxes. Using
the colours you can quite simple clarify the meaning. Gray is disabled,
red is protected and green is released. I changed also the column label
from hide to protect/expose.
If the attributes are single valued, there should be only one slider
for the attribute itself instead one for the attribute and one for the
value. Attributes without values should not released to the SPs. If an
attribute has multiple values there should be one slider per value and
one for the attribute which changes the slider of all values.
The textboxes should be expanded for the "column" length. At the
moment there is a lot of unused space between the attribute values and
the control panels. This will also simplify to see which control
element belongs to which attribute/value.
The Gray out hided/protected attributes should be kept. I just did
not copy it in the image.
The sentence about the consequences of hiding some attributes should
be kept but without the technical wording of attribute.
I know this are a lot of changes and some of them might not be trivial
to implement. I also know that it is nearly impossible to generate a
layout and theme which everyone likes. I hope you can use this input.
First of all thanks for the detailed description of the request, that's highly valuable.
In general I agree with majority of your points, and... I was thinking about even deeper changes. Below you can find what I'd still change, taking your proposal as a starting point:
I think that the leading "The remote service" is not needed. "Remote service" is still very technical. Instead I'd just put: <APP-NAME>\n<LOGO>\n "has asked....". BTW note that you can modify all the strings (and remove client) already now, without any developments.
In the expanded view of client: in Address I'd only put client's domain whenever client id is a URL (what is almost always true, except of some strangely configured SAML clients). Paths and URL schemes even are cryptic for most of the users, and anyway they won't know technical paths of OAuth/SAML service.
I strongly believe that the whole block of "hiding" some attributes should be (a) configurable if exposed or not (b) by default turned off. That is super technical, often the attributes are very technical, and most often clients won't work without them. But I understand that in your case you want to keep this option, so when turned on, your suggestions are good.
I have a problem defining the view on which you base on OAuth scopes, in case of SAML IdP. What to show then? Perhaps nothing as the only thing we can show is the list of attributes and identity.
Presence of "Login as a different user" should be also configurable - for many services there is a strong assumption of a single account per user and then this doesn't make sense. Note: in future we should do even better, store in cookies info about other identities and allow to quickly choose.
In expanded view with exposed data: I think that putting disabled switches makes no sense (just no switch) and "protect/expose" could be rather just "expose".
Details of client shown only if we have them defined, same for logo.