Is there a way to send the user to a link for an access token with requested permissions and then redirect them back to an app on completion? I’d love for my users to be able to log in via the app and not have to create and enter an access token on their own.
It’s possible sure, but strikes me as a security issue. Half the point of an access token is to give the user control. You’re getting access to my data without my knowledge of what exactly you’re doing, or my consent to that access.
If done properly it doesn’t have to be a security issue. If we follow the oauth flow it could allow apps do these sort of things.
Every site that I’ve seen link with WK does so by having the user manually copy in their API key. Some will link to the profile page to get it, but none pull it directly to my knowledge. That is what everyone using other sites is used to and that’s what I would recommend following.
Yeah, I know all about oauth. I’ve implemented it a few times in the past. My concern is you going to the generate token page, and picking what access to grant your app, without my interaction. You could request all the access they offer, and I’d be none the wiser. You’re basically taking control away from me on what I agree to grant you. Even if you tell me ‘I’m only going to take these’, how do I know you’re telling the truth.
Or, am I thinking to advanced? Are you sending the user to the page, and waiting for them to create the token? Or are you talking automating the entire process?
I’m saying send them to the page with the options that you want to access selected and waiting for them to create the token, not automating the entire process.
Ok, so that’s not as bad. If you still required them to copy/paste the code, that’s not terrible. I’d still be a bit nervous you were actually grabbing a more powerful token from the page, not the one I enter, but that’s probably just me being weary of what someone could do.
What are we talking about app wise? Web based, Android/iOS? Desktop?
Getting around CORS would be the biggest headache, and potentially a show stopper. Reading data from an iframe is no problem, generally. Interacting with the iframe, a whole separate nightmare.
At this time there isn’t any oauth system set up. I remember hearing that they had something like that on their to-do list, but I haven’t heard anything for well over a year.
Original post about that here:
We looked at it, but it keeps getting pre-empted by other, higher priority projects. Looking in the near term, that’s likely going to continue.
Thanks for the updates and input everyone. I’m glad to see that it’s on the board and I look forward to future revisions of the api