OAuth: Specify a special redirect_uri for manual token copy&paste #174
Comments
|
Of course you could add it to the spec. However, for your app to work reliably across providers, it would have to be a required feature. For that to find consensus, I think the first question would be why you cannot open some kind of web view with a trusted domain of yours, like a lot of native apps do for their OAuth dance. |
I already do that, it adds an unnecessary point of failure however. If I fail to secure my server, somebody could modify this website and make it log all tokens it receives. Is slightly less critical than with Dropbox & Co. because one would have to guess which account this token belongs to. Still unnecessary for a local application, and especially for an application that is local for the very reason so you don't need to trust any web servers. |
My application can be downloaded and run from the file system as a regular website. In this scenario, it doesn't have a
redirect_uriwhich could be used for OAuth - there is no trusted domain here. With Dropbox and Google Drive a special redirect URI (https://www.dropbox.com/1/oauth2/display_tokenandurn:ietf:wg:oauth:2.0:oobrespectively) can be used which will simply show the token and allow the user to paste it into the app. With remoteStorage, no such possibility exists. Could it be added?The text was updated successfully, but these errors were encountered: