We're removing the allow access prompt for Forge apps

Hey Developer Community!

For those who don’t know me, I’m Dan, Engineering Manager on the Forge platform :wave:

I wanted to give some very early insight into a recent decision that we made about Forge. TL;DR: We’re removing user consent and individual users will no longer have to allow access to use an app. Instead, we will be relying on administrators to give consent on behalf of the users on their sites. We don’t have a timeline just yet.

Some context on what got us here:

A large reason why we are building Forge is to address security, trust, and compliance requirements in our customer’s journey to the cloud. We decided that Forge apps needed to use a fundamentally different method of authentication and authorization to what existed in Connect at the time. We needed more granular permissions and ultimately we wanted to provide more control to our customers. Forge opted to use OAuth 2.0 to achieve this.

Over the last two years, we’ve seen Forge evolve into a more mature platform. Since Forge has become generally available, we have seen many paid and free apps built on Forge and installed by 1000’s of customers. We also ran our annual Codegeist competition entirely on Forge. We’re at the stage where we are now looking to refine some of our core experiences to address any friction in Forge adoption.

We’ve seen quite a lot of feedback in relation to the “allow access” button shown for Forge apps. Some developers are asking for us to give controls to administrators to turn that off, some want it gone completely. We understand the risk this has for users onboarding to your apps. It’s a point of friction. We’ve experienced this friction internally with our own apps! Ironically, with an app that also helped us make this decision, that’s a story for another day :wink:.

Long story short, we’ve evaluated our requirements for individual user consent in collaboration with Legal, Privacy, PM, and Engineering and have found that it is not a requirement for Forge moving forward. We are now exploring the technical requirements to make this change and hope to share a timeline soon.

46 Likes

Thanks for the heads up Dan. This is a very welcome move, the friction that those prompts bring is a big problem.

4 Likes

@danielwinterw , I noticed in our Dev environment that there was a permission page for our app. Is this an early version of what you are talking about?

Hi, thanks for this! I can see where you guys came from regarding a trust perspective and users maybe not knowing what’s going on when an app does stuff on their behalf and I respect that. I’ve been a developer for long enough and know enough about security to know that prioritizing between security and user experience is always a painful topic :grimacing: So I do not envy you this decision. As a Marketplace Partner developer, I do appreciate it though since it removes friction with users using our apps which will hopefully lead to improved adoption.

Questions regarding this though:
Does this have any implications on user impersonation in Connect on Forge apps and user impersonation in application event handlers or are those unrelated topics?

@tobitheo this will not address user impersonation at this stage :slight_smile:

1 Like

Will there be a heads up when this announcement is done so we can update our docs?

@danielwester, yes. We will share more information on timelines soon

3 Likes

Ironically, with an app that also helped us make this decision, that’s a story for another day :wink:.

I mean, it’s another day… anyone else curious to hear this story?

8 Likes

Can you express a rough timeline in the meantime?

1 Like

@danielwester , one more comment on this:

I noticed when testing an app with a second user I couldn’t allow the permissions.
The following message came up:

Is there a chance to do this anyway in the development stage?

We’re having the same issue as @FranzBinder lately.

Does anyone know a way around this?

CC: @danielwinterw

Hi @FranzBinder I am also struggling with the same issue you have shown above did they mentioned any thing perhaps we could expect when is this gonna be resolved ?