OAuth Consent Screens Now Show Actual Permissions Instead of Overstating Bluesky Access

A draft fix to the atproto OAuth provider UI stops showing blanket 'manage profile, posts, likes and follows' language for narrow app.bsky.* scopes, replacing it with accurate per-collection details. This closes an informed consent gap where users couldn't see exactly what authority they were granting.

What

The OAuth consent screen was displaying the same broad permission summary ('Manage your profile, posts, likes and follows') for any Bluesky-scoped app, regardless of whether the app actually requested narrow access like read-only post queries or specific collection writes. The fix reserves that blanket wording only for genuinely broad permissions (collection=* or transition:generic scopes) and surfaces accurate RepoTable and RpcMethodsTable details for narrow requests instead.

Why it matters

Users need to understand exactly what data access they are authorizing before granting consent. Overstating permissions violates informed consent principles and the least-authority transparency requirement (OWASP A04). When an app only asks for narrow Bluesky access, the consent screen should reflect that specificity, not suggest the app can do everything.

Who it's for

This change benefits any developer building OAuth clients on atproto and every user who grants those clients permission. It improves the security posture of the entire Bluesky ecosystem by making consent screens more honest and granular.

When & where

The fix is currently in draft PR form at bluesky-social/atproto#5103 and has not yet been merged into the main repository. It targets the oauth-provider-ui and oauth-scopes packages within the atproto monorepo.

How

The implementation extracts a shared helper function (hasOnlyBskyAppSpecificPermissions) to detect narrow Bluesky requests, then conditionally renders either the blanket summary or the detailed permission tables based on scope breadth. All 311 tests across 12 suites in the oauth-scopes package pass, and the scenario matrix confirms narrow requests no longer overstate access while broad requests remain unchanged.

Takeaway

Honest consent screens are a security feature, not a UX burden. By showing users exactly what they are authorizing rather than a generic summary, this change makes the OAuth flow more trustworthy and helps developers build with confidence that their users understand the permissions they grant.

Draft PR: https://github.com/bluesky-social/atproto/pull/5103