The company gets what the company wants



  • Boss A: "You wrote your next project will be a 'Desktop RIAA with Silverlight' - what's that?"

    Me: "A Twitter client"

    Boss A: "Does Microsoft have stocks with Twitter?"

    Boss B: "No, they don't. They have some with Facebook, though."

    Boss A: "Could you make it a Facebook client?"

    Me: Ô___ô



    Yeah. Like those two are the same thing... Oh, the humanity!

    [edit] Ah, there we go. First WTF right on:
    The basic authentication process for desktop application is:
    1. Embed a Web browser in your application displaying the standard Facebook OAuth authorization screen. Instead of specifying a standard redirect_uri, redirect the user to http://www.facebook.com/connect/login_success.html, a dummy page hosted by Facebook.
    2. When the user successfully authorizes your application, Facebook will redirect the user to the URL above.
    3. Intercept the event in your client application, and pull the OAuth access token out of the URL.
    Source

    Dev: "Oh hai facebook, I want to auth my us0rz!"
    FB: "Np, dev. Just steal their GET and you'll be fine!"



  • OAuth is the real WTF. I agree entirely. (BTW, Twitter uses it also.)

    Designed by people who apparently never heard of the concept of a computing device without a web browser. (No-- Internet connection isn't good enough; needs to have a full-fledged browser.)

    But, hey, look at the good side: OAuth is so retarded it makes OpenID look less retarded!

    Oh, the new Live Messenger 2011 uses OAuth, too. They're going to shut off the non-OAuth version of the protocol before too long. OAuth is like a cancer spreading all over the IT world.



  • I blame everything WRT OAuth on Twitter. They were so focused on allowing "cool web mashups" (not a quote, I'm just using the term ironically) that they forgot that there's (le gasp) other things you can do with their API.

    The most ridiculous part is that Twitter's Android client (and presumably their iOS one as well) uses some proprietary non-OAuth protocol to authenticate!

    Finally, I might be wrong about this, but it seems that OAuth actually requires more session authentication hooplah then the HTML-based service it syndicates. I've just been so tempted to make a Twitter library that screen-scrapes the login page and then uses the web interface's API just to get our old authentication back, with a plain old cookie for authentication. Hell, if Twitter's so adamant about securing their API even if it means breaking the old way, why don't they just force it to be 100% HTTPS?

    Anyways, /rant and all that.


Log in to reply