> > It's not clear to me how desktop apps will authenticate. _Will each > > author need to maintain a website to perform the authentication? _I > > don't see how it can be done otherwise. > > OAuth was designed with explicit desktop application support in mind. > To see how it works in practice, try using a desktop Flickr Uploader > or iMovie's YouTube integration. > > Normally your app will open a browser window (all modern environments > do this seamlessly) and ask the user to authorize the application. > Once they've done that, they should be told to go back to the > application (close the browser window) and continue the setup process > (usually by just clicking "Continue" or OK so that the desktop app > knows that it's OK to exchange the request token for the access > token).
With all due respect, *not* all modern environments do this seamlessly. How would a script in somebody's cron job do that? Or a text-mode client? They all have to authenticate and they are not in an environment where a browser is easily available, if it is available at all. Even for those apps that do have the ability to open a browser, which I grant will be many and possibly even most, it does present a UX problem with differing interfaces and it may be hard for some apps to *find* the generated credentials to use. Noteworthy things on this topic, from Google of all companies: http://sites.google.com/site/oauthgoog/UXFedLogin/nobrowser "Authorizing rich-client devices without a web browser" http://sites.google.com/site/oauthgoog/UXFedLogin/desktopapps "UX research on desktop apps using federated login and/or OAuth" These are not easy problems to solve, and even Google does not have a seamless solution. -- ------------------------------------ personal: http://www.cameronkaiser.com/ -- Cameron Kaiser * Floodgap Systems * www.floodgap.com * [email protected] -- With a rubber duck, one's never alone. -- Douglas Adams, "HGTTG" -----------
