I'm a bit confused about all this OAuth bruhaha in the sense that all the examples I can find are for web applications and none of them for desktop applications.
I understand the Web application work flow, but that includes some redirections between the web app and twitter.
How does one do this in an desktop application?
How does the redirects work?
Should I have to include a Web Browser object?
Is there a way to go around this?
Could anyone point me to resources instead of a full blown solution please?
Thanks
Not sure which language you're using, but the .NET library for Twitter called Tweetsharp has a post on using Tweetsharp from a desktop app and authenticating via OAuth. See http://tweetsharp.com/?p=68. If you're not using .NET then perhaps it will inspire something you can do?
Basically, what tweetsharp does is launch the browser to the authentication URL and then waits for the user to return. I don't know of any way to do this other than something like that (Or include a WebBrowser control of some kind to launch the authentication URL in your own window).
Here's a straightforward solution, implemented as a set of PHP scripts for running from the command line. Well documented and explained, with a helpful 'verbose' option for debugging.
http://nullinfo.wordpress.com/oauth-twitter/
After some poking around and asking some questions about this subject to some other programmers, it looks like it's still an ongoing discussion, with no visible light at the end of the tunnel.
But for people interested on the ongoing discussion, here's the best link to have:
OAuth Desktop Discussion
I've seen a few desktop apps get around this by effectively embedding a browser into their program, so they can just open the in-app browser window to let you do the login and authorisation. This strikes me as a bit of a cheat or defeat of purpose because you still end up typing your ID and password inside the application anyway.
One possibility I was thinking of was, your desktop application could embed a mini HTTP server inside it. So then it launches the default browser to perform the authorisation, with a callback URL something like http://127.0.0.1:8765/oauthorized and then just listen for it.
Would that work?
Not sure what you would do for console applications... spawn a copy of lynx?
Include a WebBrowser control in your app. Put it in a panel or a separate form that you'll Form.ShowDialog().
Create a callback for the browser's successful posting of OAuth and one for a rejection. Don't forget to check for a FailWhale.
In the callback, you close the panel or form and store the token.
Here's a nice overview with sample code and everything: http://tweetsharp.com/2009/04/how-to-authenticate-a-desktop-application-with-oauth/
Related
I'm trying to set up an OAuth2.0 flow for ORCID with Xojo. I found a sample project on github for Facebook and modified the code for the URL and ClientKey I set up with ORCID. When I use the same URL in Firefox it works perfectly, however when I try to load the page in the HTMLviewer it just shows a blank page. Has anyone encountered something similar?
It is important to remember that HTMLViewer in Xojo is not the same as a full web browser. Some oAuth flows are requiring higher security standards than Xojo can provide.
Google is even going so far as to prevent low-security embedded browsers from performing the oAuth flow. They now recommend you make the request with the user's default system browser.
It seems like you will need to change your design to use the system browser instead of the embedded one.
My company is wanting to implement OpenID Connect via Oauth 2.0 across our client software, which comes in Windows, HTML5, Android, IOS, etc. Toward that end, we are trying to find a way of getting the login info back that will work across these platforms.
Our understanding was that a custom uri scheme (i.e., companyname://) was the recommended way of going forward, and we have verified on our end that that would work. However, we have yet to be able to find a provider that would support that configuration. So far OneLogin & Google are both locked to https:// (or http:// for dev), which leaves us something of a conundrum.
So essentially, my question is, were we misled about the custom uri scheme? If so, is there another method we can use that will allow our web & standalone apps to pick up the return info from whichever OpenID providers we go with? We want to keep it open as possible, so we're trying to avoid lock-in APIs and suchlike. Any advice would be appreciated. Thanks.
We do support the custom URI redirect. You'll need to select right type of client when creating a client id on Google developer console.
See the details here.
https://developers.google.com/identity/protocols/OAuth2InstalledApp
One way to support any provider is that you use a Web flow to redirect to a page on your site and then your website does a redirect to a custom scheme.
I know how OAuth works in web applications that run in a browser, but I'm not sure how OAuth can be implemented in an application that does not run in a browser.
It's easy to display the URL using some kind of a WebView, but how do I get back the information it sends back? My research doesn't reveal a straightforward way to do this.
There are a few Java libraries out there that can do this. (Are you looking for a particular language?)
Scribe is probably the most mature Java library:
https://github.com/fernandezpablo85/scribe-java
There are more libraries for pretty much every language here:
http://oauth.net/code/
I have been coding against a Delphi EXE (win32 desktop app) to access twitter and do certain functions. It used to use Basic authentication with the api limitation. I know I have to convert this to OAuth. I have been reading over the documentation trying to determine the best approach. I understand the best method is the Web browser with a call back url. I also know that Twitter includes a Pin Based (oob) authentication method. I figured this was the route to go with this application, but I want to make sure since that is not seamless. It requires the user to go external to the application and get a pin number. It also is not as secure since the access token returned never expires.
I am using Indy v10 components to do the GET/POST operations, so I am wondering if there is a way to do this using them and being able to do a callback and not use the Pin authentication method.
Can anyone help me?
Also I've been trying to get Chuck Beasley's Twitter Class working in Delphi 7 with Indy v10 and I've been having trouble. IdObjs and Idsys don't exist anymore. Has anyone got this class to work with my scenario?
Thanks,
David
OAuth is a standard used for Web applications, its text is liberally littered with the word 'agent', meaning a browser. The best solution IMHO is, if possible, to actually have a callback URL, meaning you have your own site which provides the service to back your application functionality. There are services that make this possible for third parties already, like JanRain. If these options are not feasible (meaning you cannot provide a true WWW site for the callback URL) not feasible, then your only option is indeed the out-of-band authentication, oob. Don't even think about having the OAuth authentication call back the app listening on some port, that is completely unreliable for 1) the vast majority of apps will sit behind some sort of NAT device (router, outbound proxy) which makes them unreachable from the OAuth prvider and 2) the OS firewall will block your incoming calls.
In the mean time, Beasly's Twitter class has been expanded/updated; see the latest incarnation
I've started a library that uses Synapse to access twitter. It can use OOB/PIN authentication and predefined oauth token/secret. It can be extended to use browser based auth. Currently written using FPC but should be adaptable to Delphi quite easily. FPCTwit code
You may wanna try my take on twitter, supports unicode as well unlike the other delphi implementations:
http://eden.fm/2011/02/27/twitter-library-for-delphi/
I don't use Indy though, but ICS
Does anyone know of an example facebook app (or facebook connect app) done in Erlang? I'm looking for something that includes the whole process. Specifically I don't seem to find anything on user authentication.
I've checked out erlang_facebook, erlang2facebook and erlyface but none of them seem to offer a simple and comprehensive example accessible to me as a beginner .
I'd be happy for just a bit of code to plough through though, preferably using mochiweb as backend.
I've played around writing a FB app in Erlang and looked at the projects you mentioned as well. I found it easier to just use FB's graph API directly for authentication, etc. I used Nitrogen/Mochiweb for the web server and made graph requests with httpc:request.
Zotonic (Erlang CMS/Framework) provides Facebook integration, including authentication.
http://zotonic.com/mod-facebook
A few years on and I still find Jeremy Raymond's method satisfying. In particular, wrapping their ever-changing url-as-an-API scheme inside your own API seems to be the most painless. httpc is useful, and so is cowboy if you are familiar with that.
Whatever you choose, you should absolutely not be designing your ideas around their API. Convert their ideas into your project's semantics by wrapping their API. After all, the web isn't the whole internet and you never know when FB might stop being the cool place to waste your life. There is no telling if your application/library/codebase-you-use-on-something-else will outlive theirs.