On Thu, Sep 12, 2013 at 2:57 AM, Petr Bena benapetr@gmail.com wrote:
I am trying to implement oauth login to latest huggle, however I am confused about several things:
- How do I obtain the data which are normally provided in a callback URL?
If your app doesn't have a sensible callback URL, you can use the URL of Special:MWOAuth/verified. This page will display the verification code to the user with instructions to copy it into your application.
- What is consumer key and secret? Can these values be shown to
end-users? Do these values need to be known by application itself? If consumer secret is supposed to be known by application but not the user, how am I going to achieve that, given that user would have access to binary files which would contain it?
As already noted, the secret is supposed to be known by the application but not the end user, which is a problem for desktop apps.
I'm personally still not clear on how OAuth 2 solves this problem, unless it's just by saying "you must use HTTPS, and don't assume that the consumer secret is really secret". Which we could well enough do with our OAuth 1.0a implementation, couldn't we?