** Branch linked: lp:~leonardr/launchpadlib/trusted-client
--
manage-credentials should not ask for Launchpad password directly
https://bugs.launchpad.net/bugs/387297
You received this bug notification because you are a member of MOTU,
which is subscribed to ubuntu-dev-tools in ubuntu.
--
Yes, the branch has not been reviewed or landed, so the old behavior is
still present.
--
manage-credentials should not ask for Launchpad password directly
https://bugs.launchpad.net/bugs/387297
You received this bug notification because you are a member of MOTU,
which is subscribed to
Is this still an issue for karmic? I used requestsync for the first
time today and it behaved exactly as requested here; it opened a tab in
FF where I needed to allow a certain $consumer access to my launchpad
account.
--
manage-credentials should not ask for Launchpad password directly
OK, I've written a launchpadlib branch that includes two scripts:
1. launchpad-request-token: acquires a request token
2. launchpad-credentials-console: gets the user's password and trades a request
token for an access token
I wrote #1 for my own testing purposes, but it's generally useful and
Hi Leonard,
that's the very same workflow we use for leonov.
The way to go is a bit different, but regarding the implementation inside
LPLIB, this is ok.
I don't see any problems with this approach.
Regards,
\sh
--
manage-credentials should not ask for Launchpad password directly
I talked with Martin and he proposed some changes to the workflow I put
up yesterday.
A. Drop the if you don't trust this client message. It scares people
for no reason, because untrusted clients won't display that message.
B. What if the user doesn't have a Launchpad account? We'll tell them to
Good morning,
I would like to give my input about the problems with the web browser
oriented Sign into Launchpad approach for UI clients.
Actually, I don't think there is a difference between trusting a webbrowser and
an UI client. As for leonov, we don't save any passwords somewhere in the
Good Morning again,
after thinking about this problem, it would be a good idea, to have a
web widget alike. If you think that a webbrowser is the only trusted
client app, you could add a simple non cssed html page fragment with
an LP auth form, which could be included in any UI client code (e.g.
We considered a web widget, but it's not really any better than a custom
client. A random app can show you some HTML that asks for your Launchpad
password, just as a random app can ask for your Launchpad password
directly.
We treat the browser as a trusted client not because it displays HTML,
but
HI,
well, another possibility would be encrypt username+password somehow
with a public launchpad gpg key, which needs to be fetched from a
trusted site, and with the users gpg key which is known to launchpad...
Sounds really strange, but should work...another possibilty would be to
have a
Yeah, there are other ways to do this--Amazon's web services support
something similar to what you propose. The problem is the UI. No end
user is going to go through all that trouble to set something up, and
application developers won't like it either.
--
manage-credentials should not ask for
OK, as a non UI expert here is my proposed design for the console
version of the trusted client. I would like to get Martin and Matthew's
comments on this before I go too far into the implementation.
Usage:
console-client [application name] [hostname] [oauth_token]
[allow_permission, ...]
Stephan, I would also like your opinion on this workflow as a third-
party developer. Would you use (a GUI version) of this client?
--
manage-credentials should not ask for Launchpad password directly
https://bugs.launchpad.net/bugs/387297
You received this bug notification because you are a
Martin, Matthew, I'd like to get your input from a UI perspective on
this bug and associated strategy.
--
manage-credentials should not ask for Launchpad password directly
https://bugs.launchpad.net/bugs/387297
You received this bug notification because you are a member of MOTU,
which is
You're right, this does seem a bit suspicious. From looking at the code,
it appears that this part is optional anyway, so perhaps we can just
take this out and it'll use the web auth that is already in there? I'd
need to test though.
fyi, the code that does the login is approve_application in
I'm not 100% sure by what you mean by use the web auth, but I doubt
that would be any more secure. You'd still have a random program asking
for the user's Launchpad password.
I had a long talk with flacoste and mars about this. Here is the problem
in a nutshell.
1. The OAuth protocol does not
16 matches
Mail list logo
