Oauth is awful-- illustrated!



  • One of the reasons I've always criticized Oauth is that it using it requires an embedded browser. Most people are like, "well what kind of app would want to use Oauth and not have a embedded browser available?" and until this moment I've never been able to give a good non-hypothetical answer.

    Today I can.

    This is the Twitter app on the Playstation Vita giving you instructions on how to sign on. The Vita is a 100% perfect example of a powerful, graphical, device that users will want to run Oauth-consuming services on, but which does not have an embed-able browser.

    Suck it.



  • What kind of application is that? Native? Pssh.

    Web apps are the way of the future. That's why Twitter the people who made oAuth designed it only for web applications.

    That way it's simple to follow somebody you could care less about on Twitter, but not to add Twitter functionality to a device that doesn't have a web browser. (For which you must use Twitter's official apps, which don't even use OAuth.)

    Progress!



  • @MiffTheFox said:

    That's why Twitter the people who made oAuth designed it only for web applications.

    Which is why OAuth is stupid. SSH authentication is better way.



  • @zzo38 said:

    @MiffTheFox said:
    That's why Twitter the people who made oAuth designed it only for web applications.

    Which is why OAuth is stupid. SSH authentication is better way.

    Pshaw. That's for suckers. If you want real security, you'll go with secret handshakes.



  • @zzo38 said:

    @MiffTheFox said:

    That's why Twitter the people who made oAuth designed it only for web applications.

    Which is why OAuth is stupid. SSH authentication is better way.

    @Joe Average User said:
    Hey, I'm going to get this cool new app that lets me use Twitter. It says I need to authenticate... Oh, that's the twitter website. Okay, click accept. Done!

    @Joe Average User said:
    Hey, I'm going to get this cool new app that lets me use Twitter. It says I need to use SSH... What the fuck is SSH?

    10 hours later

    I need to install LINUX? Isn't that a virus?



  • @Ben L. said:

    @Joe Average User said:
    Hey, I'm going to get this cool new app that lets me use Twitter. It says I need to use SSH... What the fuck is SSH?
     

    Yeah, that's because embebbing SSH into your application is impossible, I tell you. Cannot. Be. Done.

     



  • @Mcoder said:

    @Ben L. said:

    @Joe Average User said:
    Hey, I'm going to get this cool new app that lets me use Twitter. It says I need to use SSH... What the fuck is SSH?
     

    Yeah, that's because embebbing SSH into your application is impossible, I tell you. Cannot. Be. Done.

     

    Good luck including SSH into a webapp without sending passwords to the server -- which is what OAuth is preventing in the first place.



  • @Ben L. said:

    Good luck including SSH into a webapp without sending passwords to the server
     

    Isn't that what keys are for?

     



  • @Cassidy said:

    @Ben L. said:

    Good luck including SSH into a webapp without sending passwords to the server
     

    Isn't that what keys are for?

     

    And now we're back to the end user having no fucking clue what's going on.

    Jolly good show.



  • @Ben L. said:

    And now we're back to the end user having no fucking clue what's going on.
     

    Are we? I was answering your question about using SSH without passwords.

    Unless you mean you're the end user without a clue what's going on, but this stuff should be invisible to end-users.

    (thinking about SSL certificates and the like)



  • @Ben L. said:

    @Mcoder said:

    @Ben L. said:

    @Joe Average User said:
    Hey, I'm going to get this cool new app that lets me use Twitter. It says I need to use SSH... What the fuck is SSH?
     

    Yeah, that's because embebbing SSH into your application is impossible, I tell you. Cannot. Be. Done.

     

    Good luck including SSH into a webapp without sending passwords to the server -- which is what OAuth is preventing in the first place.
    That is why to make it not a webapp. SSH is also used to send commands too, not only authentication.



  • @Ben L. said:

    Good luck including SSH into a webapp without sending passwords to the server -- which is what OAuth is preventing in the first place.

    You just underestimated the internets



  • @dtech said:

    @Ben L. said:
    Good luck including SSH into a webapp without sending passwords to the server -- which is what OAuth is preventing in the first place.

    You just underestimated the internets

    From readme.md

    ## Note!
    
    Before you ask, **no** this doesn't work on regular web pages.


  • @zzo38 said:

    That is why to make it not a webapp. SSH is also used to send commands too, not only authentication.

    I get it! Let's change all the websites in existence into statically linked executables! I can't see where this could possibly go wrong.



  • @Ben L. said:

    Let's change all the websites in existence into statically linked executables!

    This is already in progress. They call those "iPhone apps".



  • Wow, I didn't know there is actually an application that uses that ridiculous PIN authentication flow...



    There is one thing I don't get here. (Ignoring for a moment the fact that OAuth is just wrong on more levels than one can count)

    So this is the official Twitter app? Last time I checked, Twitter was a cloud service. They have servers. That can serve web pages. Why can't they just use the normal flow, redirect you to some landing page on their site when you're done and notify the app via server push?

    I could kind of understand a crazy setup like this when you have a pure client app with no server-side infrastructure at all. But for Twitter of all things?



  • @PSWorx said:

    So this is the official Twitter app?

    I don't know if Twitter built it, if Sony built it, or if Sony hired some third-party to build it (most likely).

    @PSWorx said:

    redirect you to some landing page on their site when you're done and notify the app via server push?

    How would they know who to push it to?



  • @blakeyrat said:

    How would they know who to push it to?

    You could have your app register the upcoming authentication with your own server before you start. e.g. like this:


    • User clicks on "Connect with Twitter" button in awesomesoft app.
    • App connects to twitter, gets request token X.
    • App connects to awesomesoft.com, announces that it's about to do an OAuth authentication, sends the request token and keeps the connection open.
    • Awesomesoft.com associates the request token with the connection it just got sent through.
    • App asks user to somehow open the Twitter authorisation page. User opens the page on his smartphone, clicks "Yes".
    • User gets redirected to awesomesoft.com/landing?oauth_token=X.
    • The landing script retrieves the open connection associated with X and sends a push notification.
    • The app plays a cheerful jingle to indicate the setup is complete. User is completely baffled because he has just remote-controlled his playstation from his smartphone.


    Disclaimer: I know this setup is something between needlessly complicated and completely insane. But, well, it's OAuth, what do you expect?


  • Umm... the Vita definitely has a embeddable browser. I have to support pages specifically intended to be viewed from within an app on the Vita.

    In fact, the screenshot you showed is most likely an hosted webpage being rendered by an in-app HTML view.



  • @dynedain said:

    Umm...

    Anybody who starts a sentence is "umm..." is a douchbag. Unfortunately, this means I can't read the rest of your post.



  • @blakeyrat said:

    Anybody [...]
    Anybody who starts a forum post with "Anybody ..." is an over-generalizing dick, which means that ... uh ... well, that my opinion of you is exactly the same that it already was before I didn't read your post.



  • Umm... Actually, -- okay guys, now that Blakyrat isn't reading this post we can communicate in secret. Who's up for a party this weekend!? :D



  •  Actually, I agree with the Umm... an Actually, rule.



  • @Xyro said:

    safe word
     

    I think Actually and Um should be unsafe words.



  • @Xyro said:

    Umm... Actually, -- okay guys, now that Blakyrat isn't reading this post we can communicate in secret. Who's up for a party this weekend!? :D

    begin 644 Umm... Actually... if you've made it that far in the post than you win a free iPad


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.