LIFF should request "Profile" instead of "Open ID" #293

MrOrz · 2021-09-23T05:54:14Z

As-is

Currently Cofacts LIFF requests for openid and chat_message.write scope.

This triggers the following consent window when the user first opens Cofacts LIFF:

Currently the "用戶識別資訊 (必要資訊)" has caused confusion and intimidated users from proceeding.

We should use profile instead. If we do so, the consent window will become something similar to:

The wording of "Profile" scope (個人檔案) is more welcoming to the users.

Furthermore, we can access liff.getFriendship() after we have access to profile scope, allowing us to display links to add Cofacts chatbot to those who did not.

We can replace the current mechanism of passing ID tokens to passing access token instead.
On server side, we replace ID token verification mechanism with calling /v2/profile for the userId.
We don't need to call /oauth2/v2.1/verify, /v2/profile should be enough just for retrieving trustworthy userId from LINE.

This issue does not nessasarily cover the deprecation of urlToken param mechanism.
This issue does not cover chat_message.write (傳送訊息至聊天室). Removing this scope requires siginificant rewrite of the chatbot workflows, which are outlined here.

The text was updated successfully, but these errors were encountered:

bil4444 self-assigned this Sep 23, 2021