Pages: 1 [2] :: one page |
|
Author |
Thread Statistics | Show CCP posts - 4 post(s) |
Desmont McCallock
410
|
Posted - 2014.11.09 08:55:41 -
[31] - Quote
Ortho Loess wrote: 1. EVE Mon was used as an example, and is a good one. It needs certain core functionality on the API or is useless, it does a lot of other things that are optional. It is very clever and will turn just work regardless of which are granted. Good programming. However, there's no chance of it working if you turn off the character sheet. Part of the scope passed by the requesting app should be a listing of which items are optional and which are required. Those listed as optional get checkboxes.
There could also be the ability to request two different scopes and let the user pick from the two predefined ones.
Check EVEMon @ File > Add API Key... > EVEMon features link in page. I know it's a little bit buried but... it's there. |
Leebe
Aurora Armaments The Bastion
0
|
Posted - 2014.11.16 23:01:15 -
[32] - Quote
I would not generate the api key together with the login.
If you login with the sso you get a token that is valid only for a short time. What would be the expiration of the created api key?
Would the average user understand that if he logs in one time at a site he might giving away access to his account that he has to revoke on the api key page? How would the api keys be named?
I would suggest to make the api key generation page better instead. You can already give parameters to the page to create a key with specific rights ... what about adding a way to add a callback url to redirect the user back instead? To make it more secure you could add the app id as parameter and the back button on the api key page would use the registered url of the sso app. |
Ortho Loess
Volition Cult The Volition Cult
40
|
Posted - 2014.11.17 17:40:11 -
[33] - Quote
On the subject of making the current API page better:
Please make the current eve websites' implementation of the SSO respect the page you requested before being redirected to login.
At present, if I follow a create predefined link, it will redirect to SSO which then dumps me on the eve homepage instead of at teh create predefined endpoint.
the only way to get it back is to then go back to the page I was sent from and click the link again.
I still want the better system to create keys using SSO though!!!!!!!! :) |
Death Escapist
The Vendunari End of Life
1
|
Posted - 2014.11.17 20:40:04 -
[34] - Quote
Leebe wrote:I would not generate the api key together with the login.
If you login with the sso you get a token that is valid only for a short time. What would be the expiration of the created api key?
Would the average user understand that if he logs in one time at a site he might giving away access to his account that he has to revoke on the api key page? If the user never used an api key would he be able to disable the key without help? How would the api keys be named?
I would suggest to make the api key generation page better instead. You can already give parameters to the page to create a key with specific rights ... what about adding a way to add a callback url to redirect the user back instead? To make it more secure you could add the app id as parameter and the back button on the api key page would use the registered url of the sso app.
The default length for a newly created api key is currently 1 year - unless the user manually changes that. You can see that when you log into your account management and create a new one yourself.
As of the other points - exactly my current stance about sso and api keys. All this is far too technical and the common user has no influence on naming or similar settings anymore.
'Bound to fail he continues to smash the concrete wall between life and death' - Unknown pilot
|
Def Monk
404 File Not Found
11
|
Posted - 2014.11.18 03:50:32 -
[35] - Quote
For those asking about naming: the way a SSO works is that a website has to be registered with CCP before it can use it. As such, there will be a name associated with it. The name of the API key would likely be named to reference this, as that would make it easy for a user to remove the key if they so desired.
Likewise, on the SSO page as you're giving permission, it would be wise for CCP to put links to documentation about what the API key is, what it does, and how to disable it. If the user chooses to ignore it and still has no clue, that's their own fault. I see no problems with it if the information if readily available.
Expiration, due to the way it will work from a developer side, will be tricky. They'll receive the key they can use upon sign-in, but if the key expires, how would they go about getting a new one? I assume it would be another request to the SSO to get one if the current one doesn't work, but that would (I assume) be a mess on CCP's side to determine when they need to re-grant the key or even remove the old one. That's mostly semantics for how CCP decides to implement it though.
Likely, the API key would last much longer than the auth token. Once the token is used to log the user in on the developer's side, it's unneeded, which is why it can (currently) remain so short. The API key would need to be a bit longer unless the application only needed to access it once to grab information. Maybe the expiration could also be sent as a 'request' from the developer, and the user has right to turn it down/change it on the SSO permissions request page like the permissions themselves. |
Jack Tronic
borkedLabs
225
|
Posted - 2014.11.25 04:50:29 -
[36] - Quote
Woah woah woah. Before you add to the game's greatest metagame hole. How about making API key management easier for end users. There are tons of "leaked" keys from hacked eve sites over the years. |
|
|
|
Pages: 1 [2] :: one page |
First page | Previous page | Next page | Last page |