On Wed, Aug 21, 2013 at 5:04 PM, Chris Steipp csteipp@wikimedia.org wrote:
On Wed, Aug 21, 2013 at 2:05 AM, Nicolas Vervelle <nvervelle@gmail.com
wrote:
Hi,
I'm completely new to OAuth, so bear with me if my questions are basic
or I
missed a point ;-) It seems interesting, but seems very oriented for web applications, not
so
much for desktop applications.
This is true, for exactly the reason you were asking about-- the secret key needs to be kept private, which is impossible when you distribute the application to other users. OAuth 2 has a framework for dealing with this, but it makes controlling consumers nearly impossible. So we wanted to start with OAuth 1 while everyone gets familiar with the concepts, and we see which use cases actually get used. We may extend the framework to allow situations like this in the future.
The best workaround now is probably to have each user register their copy of your desktop application as its own consumer. It's a little ugly having to give your user instructions on cutting and pasting tokens and keys around, but it can work (in the early days of Salesforce, several OAuth apps were configured this way).
Seems very complex for users, so I won't go that way for WPCleaner. Is it possible to use only one client, with the secret key included in the distribution ? (A user with enough determination will be able to extract it) This would mean that there's not 100% certainty about the client being the true one. But, the attacker would only be able to impersonate the application, not the user.
I'm interested in developing this for WPCleaner [1], which is a desktop application. Is the callback URL required ? If so, which one should you use for a desktop application ?
For bots too, I'd like to have the extension implement something like https://developers.google.com/accounts/images/OauthUX_nocallback.pngdirectly in the extension, but that wasn't something we were able to finish before this release.
Ok, so unless there's a mechanism to work without callback URL, there's no way for a desktop application to work. I something like that is implemented, I will look again at OAuth for WPcleaner.
Nico