On Wed, Jun 24, 2009 at 01:11, Support<[email protected]> wrote: > Having users enter username and password in your application mostly > defeats the purpose of OAuth. Some say it does not matter since you > should only install trusted apps on your computer but that is a > discussion that has been hashed out many times before in other > threads. > > I see your point, of course. But can't quite believe that you're suggesting > that I launch a web-browser to perform each authentication. Is that what > you're suggesting is the preferred mechanism? > That seems a tad cumbersome for a single account, but if you're trying to > set up a few that dance would get old in a hurry -- can't we do better? >
It can be cumbersome. In most cases the dance only has to be performed once per account while the applications settings are present. So for a reinstall of an OS or if uninstalling the application clears the preferences the dance would have to be repeated. The basic purpose of OAuth is to allow access to Twitter without having to give out your password. Twitter *can not* verify this unless the user authorizes through one of their properties which currently is web only. > there is no point in asking for a username since that should just be > populated after the OAuth dance is finished. > > I think my original intent was that potentially you might already have a > stored access key for that account locally and you could use that instead of > going through the dance again. But I think you're probably right. > Most applications I've used display a list of authorized accounts and you can just choose the one by name. OSes already provide user accounts to restrict access to applications. > You might want to look at the new PIN based OAuth flow under desktop > clients: http://apiwiki.twitter.com/Authentication > > I did. I couldn't envision how this was supposed to work in a real-world > app. I've read about it dozens of times. It seemed to me that it was maybe > intended for mobile? Does anyone know of another shipping, real-world > desktop app that uses this mechanism for user-authentication? > Check out Yammer's ( https://www.yammer.com/ ) desktop application. They use pin based OAuth for their own service. I don't know of a Twitter desktop app that currently users PIN based auth but it is the same flow. > > I'm not developing desktop OSX applications yet but I am all for more > opensource code. > > If the suggested pattern is "open a browser for every login" then my demo > here is pretty much pointless. So there's no reason to bother opening my > code. I'll just give up, go back to basic mode, praying twitter doesn't > shut it off. The "open a browser every time" is not a reasonable > alternative. It would give old apps that are grandfathered into basic > authentication such a significant usability advantage that it would not be > worth attempting a competitor. > If an in-app-web-view is viable, then I'll continue down this road and > release this as open in a week or so. > Something to keep in mind is if Twitter changes their authorize page it could brake apps using in-app-web-view until a new version can be shipped. In theory someone who never reinstalls OSes or applications could use an application for years with only performing the jump to browser dance once. > Hope this helps. > > Very much. Thanks, > Isaiah > Hope this is informative. :) Abraham -- Abraham Williams | Community Evangelist | http://web608.org Hacker | http://abrah.am | http://twitter.com/abraham Project | http://fireeagle.labs.poseurtech.com This email is: [ ] blogable [x] ask first [ ] private.
