Anecdotally, you can look at most any Flickr app to see how they handle an auth system that's very similar to OAuth. It does often involve bouncing to the browser, but that's the intended workflow.
On Sun, Jan 4, 2009 at 14:07, Cameron Kaiser <[email protected]> wrote: > >> We'll certainly be doing our utmost to incentivize developers to move >> to OAuth. The next major version of the API will be OAuth-only, for >> example. > > This is where I get antsy, and maybe Chris can point out some ways to deal > with this, but from my perspective as a desktop client author OAuth is a > lot of hurt without a lot of benefit to me the developer (other than "it's > the only way in so love it or lump it"), and I think even the user's benefits > are nebulous. If you don't trust an application, you shouldn't be running it. > Isn't that where Trojan horses come in? > > But let's say that there is (a) good reason for a desktop application to use > OAuth as its primary method; now I have a technical question. The way I'm > reading > > http://oauth.net/core/1.0/ > > is that I go and get a request token (A.2), but I need to redirect a user to > a service provider's login page (ouch) for her to authorize that token (A.3), > then provide a callback URL (double ouch) (A.3). At best this is turning my > application into not only a Twitter client, but also a web server (to accept > the callback). At worst this isn't possible because the Service provider > *can't* call me back due to network restrictions on the desktop machine. > Also, since TTYtter is text based, I *really* don't want to be opening up a > browser to get logins (or if I do, I want it to be Lynx, and fat chance I > bet). > > Clearly OAuth is the way to go for standalone web sites talking to Twitter, > but I get nervous about hearing OAuth will be the only method of access while > trying to work through the issues unique to a desktop client. I would > appreciate hearing from someone knowledgeable about the best way to overcome > these issues, or if there is a special way that I missed where an application > can authenticate itself by just asking the user for their OAuth credentials > and proxy everything to the service provider, which would also suck, but less, > from a developer standpoint. (But that would also probably defeat the purpose > of OAuth.) > > -- > ------------------------------------ personal: http://www.cameronkaiser.com/ > -- > Cameron Kaiser * Floodgap Systems * www.floodgap.com * [email protected] > -- Blanket statements are always wrong. > --------------------------------------- > -- Alex Payne - API Lead, Twitter, Inc. http://twitter.com/al3x
