OAuth Support #150

Closed
marcusmateus opened this Issue Jul 19, 2012 · 16 comments

Comments

Projects
None yet
4 participants

Since github removed support for API keys there is now no way to login to iOctocat unless I enter my password. While I'm sure there aren't any shenanigans in the code I would rather not enter my password... that's what API keys / OAuth is for.

For now iOctocat will sit on my iPad unused :(.

Owner

dennisreimann commented Jul 19, 2012

Hey Marcus, thanks for your feedback. I'll take a look at that again - the last time I looked at OAuth not all API actions where supported if the authentication was made by OAuth, but that might have changed.

Dennis, thanks for the quick response. I would hope github did not remove api key support w/o appropriate support via OAuth, but it would not be the first time a company made decisions I found frustrating :). Keep us posted.

Owner

dennisreimann commented Jul 19, 2012

Okay, looks good. I'll see what I can do, but don't expect it to happen within the next few weeks ;)

Completely understand. I'm just glad to hear you are going to take a close look at implementing OAuth support.

gaelian commented Jul 25, 2012

@dennisreimann +1 here for not having to enter a password.

Owner

dennisreimann commented Jul 25, 2012

You would have to enter it one way or another, because you'd have to provide the password at least once to do the authentication so that iOctocat can get the token.

gaelian commented Jul 25, 2012

I haven't really looked into OAuth thus far, so I'll take your word for it. Unfortunate, but if that's the way it has to be, then that's the way it has to be I guess.

@dennisreimann Not giving out your password is kind of the whole point of OAuth. It allows you to exchange tokens instead that provide limited & revokable access to 3rd party apps. You can look to iGist as an example.

Owner

dennisreimann commented Jul 26, 2012

@marcusmateus Basically you are right, but for the GitHub API you have to provide your username/password at least once, to authenticate and fetch the access token.

Here is the excerpt from the Non-Web Application Flow description:

Use basic authentication to create an OAuth2 token using the interface below.
With this technique, a username and password need not be stored permanently,
and the user can revoke access at any time. [...]
There is an API for users to manage their own tokens. You can only access your
own tokens, and only through Basic Authentication.

Maybe I'm just getting this wrong, but to me it looks like you'd have to provide username and password at least once, so that iOctocat can go through the OAuth flow and create/obtain an access token on your behalf.

I'm assuming you're talking about creating an application token for github:
https://github.com/settings/applications/new

In which case, yes, you have to enter your user/pass at least once. You can, however, use a web login in the app and scrape the token in the response. In which case, if you're already logged in to github, you won't have to relogin, you just get the response token.

Owner

dennisreimann commented Dec 10, 2012

To give you an update on OAuth: I implemented it on a branch and it is finished for github.com and I'm currently investigating how to make this work with Enterprise installations.

Woohoo! Looking forward to finally using iOctocat with my repos :) Thanks.

Owner

dennisreimann commented Dec 10, 2012

Does that mean you did not use it until now?

btw I had to implement it like this: The authentication form stays the same. You will still have to enter the password, but the password does not get stored, but is just used to retrieve the OAuth access token. I could not do it via the webflow, because it also has to work for Enterprise installations.

Nope, haven't used it... but want to. Hmm, does it not work for Enterprise because the callback url has to change? I have seen a number of other iOS apps do oauth via opening a Safari window... I can't recall if any were designed for behind the firewall use though.

@dennisreimann Just FYI, this doesn't address the root security issue from my perspective. Perhaps there just isn't a way though.

Owner

dennisreimann commented Dec 10, 2012

I talked to the people at GitHub and it turns out that we have to use the Authorizations API to also make it work with Enterprise installations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment