On Wed, Aug 21, 2013 at 5:04 PM, Chris Steipp <[email protected]> wrote:
> On Wed, Aug 21, 2013 at 2:05 AM, Nicolas Vervelle <[email protected] > >wrote: > > > Hi, > > > > I'm completely new to OAuth, so bear with me if my questions are basic > or I > > missed a point ;-) > > It seems interesting, but seems very oriented for web applications, not > so > > much for desktop applications. > > > > This is true, for exactly the reason you were asking about-- the secret key > needs to be kept private, which is impossible when you distribute the > application to other users. OAuth 2 has a framework for dealing with this, > but it makes controlling consumers nearly impossible. So we wanted to start > with OAuth 1 while everyone gets familiar with the concepts, and we see > which use cases actually get used. We may extend the framework to allow > situations like this in the future. > > The best workaround now is probably to have each user register their copy > of your desktop application as its own consumer. It's a little ugly having > to give your user instructions on cutting and pasting tokens and keys > around, but it can work (in the early days of Salesforce, several OAuth > apps were configured this way). > Seems very complex for users, so I won't go that way for WPCleaner. Is it possible to use only one client, with the secret key included in the distribution ? (A user with enough determination will be able to extract it) This would mean that there's not 100% certainty about the client being the true one. But, the attacker would only be able to impersonate the application, not the user. > > > > I'm interested in developing this for WPCleaner [1], which is a desktop > > application. > > Is the callback URL required ? If so, which one should you use for a > > desktop application ? > > > > For bots too, I'd like to have the extension implement something like > https://developers.google.com/accounts/images/OauthUX_nocallback.pngdirectly > in the extension, but that wasn't something we were able to finish before > this release. > Ok, so unless there's a mechanism to work without callback URL, there's no way for a desktop application to work. I something like that is implemented, I will look again at OAuth for WPcleaner. Nico _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
