These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Technology Lab

 
  • Topic is locked indefinitely.
Previous page12
 

Discussion: Generate an XML API key via the SSO

First post First post
Author
Previous Topic Next Topic
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#21 - 2014-11-03 12:43:37 UTC
Makari Aeron wrote:
Steve Ronuken wrote:
Makari Aeron wrote:
Personally, I had hoped SSO would replace the XML API and allow the SSO to create a special, partial API-like thing that only worked for that site and was stored in the site itself, not on CCP's servers. Kinda like how you see the random websites that use social networking site logins. "Login with google and let it access X of your personal information."



That's what CREST is.

It's just not quite ready yet.


And I've been waiting for it for years, I had just hoped SSO would have what I expected CREST to do. I'll just have to go find my bullwhip and energy drinks.... :P



CREST depends on the SSO. It can be considered an extension of it (it's really the other way round, but it's close enough).

Getting the SSO out is a lot less risky than CREST, so it's a good first step, and gives people useful functionality.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Chingy Chonga
The Dark Space Initiative
Scary Wormhole People
#22 - 2014-11-03 12:45:09 UTC  |  Edited by: Chingy Chonga
What that image sets up is perfect. One thing to note is that I would prefer that the SSO handle the scope selection completely on it's own.

I know people have issues trusting third party devices so letting the developer decide which scope to use for the generate api key would probably be an extremely bad idea. If the SSO specifically had the scope selection on the first use of SSO for an application and then displayed what would be visible to the application as you authorize it, that would be amazing!

Also, it would be great if we could pass in a recommended scope for the application. So when CCP has you choose the permissions when you are signing on for the first time you can auto populate the recommended permissions that the application passes.
Gilbaron
The Scope
Gallente Federation
#23 - 2014-11-03 13:48:46 UTC  |  Edited by: Gilbaron
i don't know how technically possible that is, but the actual display of which permissions are granted and the confirmation thereof should only be handled on a CCP controlled website (including signs for a working encryption ...). So no Frames that can be embedded on other websites or anything like that

i would also like an option to limit the privileges that are asked for (checkboxes that are enabled by default but can be disabled for specific permissions that you don't want to give
ItsmeHcK1
Immortalis Inc.
Shadow Cartel
#24 - 2014-11-04 00:53:43 UTC
I will leave the specifics to all the other people in this thread, they clearly have more of an opinion on it.
I just want to say this: Yes! A thousand times yes! This will make my life soooo much easier.
Max Kolonko
Caldari Provisions
Caldari State
#25 - 2014-11-04 08:55:59 UTC  |  Edited by: Max Kolonko
I would lie to point out one thing that I consider obligatory for crest to be widely accepted.

When user is presented with list of functionalities he exposes to application he have to be able to choose which items from that list he allows for the app to use and which one he dont.

That way an app can't force you to use all of potential crest functions implemented in it but only those I feel comfortable exposing.

Let's talk eve-mon for example. In imaginary future I can change skills via crest and I exposed that functionality to eve-mon. Later on CCP ship new crest functionalities - for example remapping. Eve-mon being best skill planner in the world implements it an ships an update, making all users to reaccept crest range he exposes to them.

Now let's say for the sake of argument that I do not want to expose that, but I still want to use crest for that but I still want to use eve-mon for skill changing. What I would want to see is that when eve-mon update ships I can choose not to add remapping to the list/remove from the list and eve-mon being awesome would still work without that function.

Why is it so important? Imagine different scenario. I use 'shady' betting app and all they wanted was SSO and api generation so far and I was in OK with that. I invested billions in there and then they ship an update that suddenly requires wallet transactions so it is easier for me to send more money to site and, hey - I'm not OK with that! But what can I do? I have billions there and I want them back/still want to use that site! But no. If I reject I reject all other functionalities - including SSO that is used for loging in.

What I'm asking for is this then. Granularity when aceepting crest exposure. Maybe even EULA that don't allow developers to force new functionalities on user on the ormise that otherwise they will loose access to app.

Ther e will be great applications out there when crest is out and they will implement more and more crest functions. Let us choose which of those we want to use and which one we don't like to.

Read and support: Don't mess with OUR WH's What is Your stance on WH stuff?
Def Monk
Phoenix Naval Operations
Phoenix Naval Systems
#26 - 2014-11-06 03:41:26 UTC
Kali Izia wrote:
CCP FoxFour wrote:

Ah yes. This is what it looks like right now if your application requests permissions from CREST via the SSO: http://i.imgur.com/L939SZ5.jpg

I imagine if we had it so an application could request to create an API key we would have something similar. My concern however is showing everything would be very big and hard to understand.

After seeing this, maybe you could present it something like this mockup?
http://i.imgur.com/NvJcZPQ.png

The key would be to use common groupings, but more specific than the API page so you can still see at a glance what that app is trying to do. And then you can click on those groups to drill down to see exactly what it's requesting.
For example the "Private Information" group might be broken down into something like:

Assets:

  • AssetList
  • Locations
  • Contracts


Account Information:

  • AccountStatus
  • CharacterInfo
  • SkillQueue
  • SkillInTraining
  • CharacterSheet


Calendar:

  • UpcomingCalendarEvents
  • CalendarEventAttendees



This example image is pretty perfect. My suggestions: instead of putting the description under each one, to put a little question-mark link that opens a new window next to each. This would open a page and take you to a in-depth explanation of that specific permission, what it gives, what it could be used for, etc.

Additionally, I would suggest slightly coloring the names of each of the permissions or something, for example, green, yellow, red, etc. based on how dangerous that particular permission could potentially be. This would take time to set up, but could be done along the way as this starts to become widespread with the help of the community exposing how we use things.
Ortho Loess
Escalated.
OnlyFleets.
#27 - 2014-11-06 14:55:57 UTC
Making the user able to deselect any requests is a minefield for the people maintaining apps and supporting users.

There's a couple of things that would be very useful:

1. EVE Mon was used as an example, and is a good one. It needs certain core functionality on the API or is useless, it does a lot of other things that are optional. It is very clever and will turn just work regardless of which are granted. Good programming.
However, there's no chance of it working if you turn off the character sheet. Part of the scope passed by the requesting app should be a listing of which items are optional and which are required. Those listed as optional get checkboxes.

There could also be the ability to request two different scopes and let the user pick from the two predefined ones.

2. There should also be a flag as to whether the whole API is optional or not. If it is you can just say no and continue to log on, otherwise you can still say no, but won't be able to complete log in. This can be handled by the app based on what is returned, but it would be good if the requirement is made clear i.e. that the consequences of saying no are understood.


Say I have an app that requires a certain aspect be set. As an example, alliance security systems nearly all require an account key, rather than character. If they change it to character, because the option was there and there's no clear guidance that the user shouldn't mess with this, they can't continue. The user gets kicked back to my app, and I them have to deal with telling them that the api they just made is useless and send them back. We get this all the time with the current system, because so many people just don't understand the instructions well enough and make an invalid key. I see no reason to make it so easy for them to mess up the auto generated one.

This idea has great potential to massively reduce my support workload to alliance members (then we just need to get them to understand cache timers...).


Finally: I do think it is very important that it is clear that the user can choose not to create an API key when asked.
Death Escapist
Ministry of War
Amarr Empire
#28 - 2014-11-07 11:23:22 UTC
Ortho Loess wrote:
Making the user able to deselect any requests is a minefield for the people maintaining apps and supporting users.

There's a couple of things that would be very useful:

1. EVE Mon was used as an example, and is a good one. It needs certain core functionality on the API or is useless, it does a lot of other things that are optional. It is very clever and will turn just work regardless of which are granted. Good programming.
However, there's no chance of it working if you turn off the character sheet. Part of the scope passed by the requesting app should be a listing of which items are optional and which are required. Those listed as optional get checkboxes.

There could also be the ability to request two different scopes and let the user pick from the two predefined ones.

2. There should also be a flag as to whether the whole API is optional or not. If it is you can just say no and continue to log on, otherwise you can still say no, but won't be able to complete log in. This can be handled by the app based on what is returned, but it would be good if the requirement is made clear i.e. that the consequences of saying no are understood.


Say I have an app that requires a certain aspect be set. As an example, alliance security systems nearly all require an account key, rather than character. If they change it to character, because the option was there and there's no clear guidance that the user shouldn't mess with this, they can't continue. The user gets kicked back to my app, and I them have to deal with telling them that the api they just made is useless and send them back. We get this all the time with the current system, because so many people just don't understand the instructions well enough and make an invalid key. I see no reason to make it so easy for them to mess up the auto generated one.

This idea has great potential to massively reduce my support workload to alliance members (then we just need to get them to understand cache timers...).


Finally: I do think it is very important that it is clear that the user can choose not to create an API key when asked.


I do see your point from a programmers point of view and clearly support your general concern. But an application is more than just programming - it requires decent explanation on the consumer level as well. Too many black-boxes are floating around without any decent info why and for what all the different sets of the API are required. The aforementioned check-boxes would actually allow you to add some programming to automate the info process - you can simply catch those exceptions and deliver a notifier to the same user explaining in depth why you need it. The API is a tool for the programmer - not for the consumer. For him/her its just a requirement to give access to it - assuming they know what they are doing is like expecting a child to know about the dangers of lighting a match in a house filled with gas. Its the application providers responsibility to provide this kind of info - you will earn a lot of positive reputation if you do.

'Bound to fail he continues to smash the concrete wall between life and death' - Unknown pilot
Wacktopia
Fleet-Up.com
Keep It Simple Software Group
#29 - 2014-11-07 14:38:49 UTC
Checking in to say this sounds great. It might also help streamline things like custom vcode masks like @fuzzysteve uses.

Kitchen sink? Seriousy, get your ship together -  Fleet-Up.com
Ydnari
Estrale Frontiers
#30 - 2014-11-08 23:22:18 UTC
On a related note, one reason why it's a bit awkward generating and entering API keys into applications - particularly on mobile into a website - is that it's not one key value, it's two parts; the keyID and vCode. So you can copy one, go over to the site, paste it, but then you have to do another round trip to get the other half.

From and end user point of view the distinction between the two parts isn't very important.

Maybe you could consider making a simple presentation change, showing the key as a single line somewhere, with the keyID appended to the vCode with a separator; colon, comma, anything.

Then you can generate, copy, return to site, paste, and the workflow becomes that little bit less awkward for a very small change.

So something like: http://i.imgur.com/D34w76C.png

--
Desmont McCallock
#31 - 2014-11-09 08:55:41 UTC  |  Edited by: Desmont McCallock
Ortho Loess wrote:

1. EVE Mon was used as an example, and is a good one. It needs certain core functionality on the API or is useless, it does a lot of other things that are optional. It is very clever and will turn just work regardless of which are granted. Good programming.
However, there's no chance of it working if you turn off the character sheet. Part of the scope passed by the requesting app should be a listing of which items are optional and which are required. Those listed as optional get checkboxes.

There could also be the ability to request two different scopes and let the user pick from the two predefined ones.
Check EVEMon @ File > Add API Key... > EVEMon features link in page. I know it's a little bit buried but... it's there.
Leebe
The Scope
Gallente Federation
#32 - 2014-11-16 23:01:15 UTC  |  Edited by: Leebe
I would not generate the api key together with the login.

If you login with the sso you get a token that is valid only for a short time. What would be the expiration of the created api key?

Would the average user understand that if he logs in one time at a site he might giving away access to his account that he has to revoke on the api key page? If the user never used an api key would he be able to disable the key without help? How would the api keys be named?


I would suggest to make the api key generation page better instead. You can already give parameters to the page to create a key with specific rights ... what about adding a way to add a callback url to redirect the user back instead? To make it more secure you could add the app id as parameter and the back button on the api key page would use the registered url of the sso app.
Ortho Loess
Escalated.
OnlyFleets.
#33 - 2014-11-17 17:40:11 UTC
On the subject of making the current API page better:

Please make the current eve websites' implementation of the SSO respect the page you requested before being redirected to login.

At present, if I follow a create predefined link, it will redirect to SSO which then dumps me on the eve homepage instead of at teh create predefined endpoint.

the only way to get it back is to then go back to the page I was sent from and click the link again.


I still want the better system to create keys using SSO though!!!!!!!! :)
Death Escapist
Ministry of War
Amarr Empire
#34 - 2014-11-17 20:40:04 UTC
Leebe wrote:
I would not generate the api key together with the login.

If you login with the sso you get a token that is valid only for a short time. What would be the expiration of the created api key?

Would the average user understand that if he logs in one time at a site he might giving away access to his account that he has to revoke on the api key page? If the user never used an api key would he be able to disable the key without help? How would the api keys be named?


I would suggest to make the api key generation page better instead. You can already give parameters to the page to create a key with specific rights ... what about adding a way to add a callback url to redirect the user back instead? To make it more secure you could add the app id as parameter and the back button on the api key page would use the registered url of the sso app.



The default length for a newly created api key is currently 1 year - unless the user manually changes that. You can see that when you log into your account management and create a new one yourself.

As of the other points - exactly my current stance about sso and api keys. All this is far too technical and the common user has no influence on naming or similar settings anymore.

'Bound to fail he continues to smash the concrete wall between life and death' - Unknown pilot
Def Monk
Phoenix Naval Operations
Phoenix Naval Systems
#35 - 2014-11-18 03:50:32 UTC
For those asking about naming: the way a SSO works is that a website has to be registered with CCP before it can use it. As such, there will be a name associated with it. The name of the API key would likely be named to reference this, as that would make it easy for a user to remove the key if they so desired.

Likewise, on the SSO page as you're giving permission, it would be wise for CCP to put links to documentation about what the API key is, what it does, and how to disable it. If the user chooses to ignore it and still has no clue, that's their own fault. I see no problems with it if the information if readily available.

Expiration, due to the way it will work from a developer side, will be tricky. They'll receive the key they can use upon sign-in, but if the key expires, how would they go about getting a new one? I assume it would be another request to the SSO to get one if the current one doesn't work, but that would (I assume) be a mess on CCP's side to determine when they need to re-grant the key or even remove the old one. That's mostly semantics for how CCP decides to implement it though.

Likely, the API key would last much longer than the auth token. Once the token is used to log the user in on the developer's side, it's unneeded, which is why it can (currently) remain so short. The API key would need to be a bit longer unless the application only needed to access it once to grab information. Maybe the expiration could also be sent as a 'request' from the developer, and the user has right to turn it down/change it on the SSO permissions request page like the permissions themselves.
Jack Tronic
borkedLabs
#36 - 2014-11-25 04:50:29 UTC  |  Edited by: Jack Tronic
Woah woah woah. Before you add to the game's greatest metagame hole. How about making API key management easier for end users. There are tons of "leaked" keys from hacked eve sites over the years.

Please don't assume your users are smart to read warnings and guides. Because every user is dumb as rocks in reality and you must design to that. Right now API key management is the least visible option for accounts being squirreled away to the community site section.
Previous page12