These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Technology Lab

 
  • Topic is locked indefinitely.
 

Devsite blog: Nom nom tasty market data!

First post First post
Author
Previous Topic Next Topic
Kaladr
Viziam
Amarr Empire
#121 - 2014-11-30 05:11:54 UTC
Steve Ronuken wrote:
One option which remains open for people is:

Have a client which sends you to a particular website (forming a session with it)

Have that website redirect people to the auth.
Have the site do all the talking with CCP's server, to get the access token (retaining the refresh token)
Send the access token back to the client.

That way, the client doesn't every see the refresh token, or the other detailed needed to create one. It can just ask the website for a new access token.

The client is also capable of doing authentication by (different) usernames and password, for an added level of security, just storing the refresh tokens against those.


That does make the third party site a juicy source of stored tokens (with various levels of vulnerability depending on the token scope). As flawed as Oauth2 is its better for keeping credentials secret.

I'm fully intending on keeping the EVE-Central market APIs running as long as there are users. CREST will of course be more powerful as it can do so much more depending on future scopes, but for simple R/O access it will likely be simpler for most users.

Creator of EVE-Central.com, the longest running EVE Market Aggregator
Pete Butcher
The Scope
Gallente Federation
#122 - 2014-11-30 08:28:22 UTC
Small question - is it normal that I have to click 'Authorize' every time my app calls /oauth/authorize? It would be really nice if the server remembered which apps were already authorized and just returned the token after login (with 'remember me' functionality in mind).

http://evernus.com - the ultimate multiplatform EVE trade tool + nullsec Alliance Market tool
Kaladr
Viziam
Amarr Empire
#123 - 2014-11-30 08:40:41 UTC
Pete Butcher wrote:
Small question - is it normal that I have to click 'Authorize' every time my app calls /oauth/authorize? It would be really nice if the server remembered which apps were already authorized and just returned the token after login (with 'remember me' functionality in mind).


Thats what the refresh token is for. You should be able to refresh to receive a new bearer token without user workflow.

Creator of EVE-Central.com, the longest running EVE Market Aggregator
Kaladr
Viziam
Amarr Empire
#124 - 2014-11-30 08:44:05 UTC
I've updated crestmarket with a very cheesy proxy mode, letting you get data without going through any OAuth steps for internal applications. Its cheesy (remaps URLs with a global regexp, etc), but may be helpful to some! Do not run this on an exposed interface / the internet / etc Shocked

Details are here: https://github.com/theatrus/crestmarket

Creator of EVE-Central.com, the longest running EVE Market Aggregator
Pete Butcher
The Scope
Gallente Federation
#125 - 2014-11-30 08:51:56 UTC
Kaladr wrote:
Pete Butcher wrote:
Small question - is it normal that I have to click 'Authorize' every time my app calls /oauth/authorize? It would be really nice if the server remembered which apps were already authorized and just returned the token after login (with 'remember me' functionality in mind).


Thats what the refresh token is for. You should be able to refresh to receive a new bearer token without user workflow.


Doesn't the refresh token have a limited lifespan? I'm talking about authorizing with any amount of time in between.

http://evernus.com - the ultimate multiplatform EVE trade tool + nullsec Alliance Market tool
Kali Izia
GoomWaffe
#126 - 2014-11-30 09:12:57 UTC
Pete Butcher wrote:
Kaladr wrote:
Pete Butcher wrote:
Small question - is it normal that I have to click 'Authorize' every time my app calls /oauth/authorize? It would be really nice if the server remembered which apps were already authorized and just returned the token after login (with 'remember me' functionality in mind).


Thats what the refresh token is for. You should be able to refresh to receive a new bearer token without user workflow.


Doesn't the refresh token have a limited lifespan? I'm talking about authorizing with any amount of time in between.

Nope, the refresh token is unlimited. Though your code shouldn't assume that and should expect that it could become invalid at some point in the future and prompt the user to reauthorize (such as if they revoke the token, although that kind of functionality doesn't exist on CCP's side yet).

Every time you call /oauth/token using a refresh token, you get an access token that has a 5 minute expiry. The refresh token itself doesn't expire.
Max Kolonko
Caldari Provisions
Caldari State
#127 - 2014-11-30 10:35:22 UTC
so if i understand above corectly once user authorise my app to do something, i can then run it without need for re-authoriseg unless "things happen" (like user revokes access or some shitstorm hits eve crest server) and without user knowing that i'm using it.

example just to make sure i get it right: in some optimistic future ccp gave us skill changing options via crest. I run eft-like app and authorise it to change my skills. it then can change my skills anytime it wants (hopefully its not when i dont want :P) without needing me to be at pc, authorise or even have that site opened?

Read and support: Don't mess with OUR WH's What is Your stance on WH stuff?
CCP FoxFour
C C P
C C P Alliance
#128 - 2014-11-30 11:52:19 UTC
Kali Izia wrote:
Though your code shouldn't assume that and should expect that it could become invalid at some point in the future and prompt the user to reauthorize (such as if they revoke the token, although that kind of functionality doesn't exist on CCP's side yet).


https://community.eveonline.com/support/third-party-applications/

You were saying?

@CCP_FoxFour // Technical Designer // Team Tech Co

Third-party developer? Check out the official developers site for dev blogs, resources, and more.
CCP FoxFour
C C P
C C P Alliance
#129 - 2014-11-30 11:52:59 UTC
Max Kolonko wrote:
so if i understand above corectly once user authorise my app to do something, i can then run it without need for re-authoriseg unless "things happen" (like user revokes access or some shitstorm hits eve crest server) and without user knowing that i'm using it.

example just to make sure i get it right: in some optimistic future ccp gave us skill changing options via crest. I run eft-like app and authorise it to change my skills. it then can change my skills anytime it wants (hopefully its not when i dont want :P) without needing me to be at pc, authorise or even have that site opened?


Correct.

@CCP_FoxFour // Technical Designer // Team Tech Co

Third-party developer? Check out the official developers site for dev blogs, resources, and more.
Kali Izia
GoomWaffe
#130 - 2014-11-30 12:10:29 UTC
CCP FoxFour wrote:
Kali Izia wrote:
Though your code shouldn't assume that and should expect that it could become invalid at some point in the future and prompt the user to reauthorize (such as if they revoke the token, although that kind of functionality doesn't exist on CCP's side yet).


https://community.eveonline.com/support/third-party-applications/

You were saying?

Oh ****, is that new or did I just never see it before?
CCP FoxFour
C C P
C C P Alliance
#131 - 2014-11-30 12:11:38 UTC
Kali Izia wrote:
CCP FoxFour wrote:
Kali Izia wrote:
Though your code shouldn't assume that and should expect that it could become invalid at some point in the future and prompt the user to reauthorize (such as if they revoke the token, although that kind of functionality doesn't exist on CCP's side yet).


https://community.eveonline.com/support/third-party-applications/

You were saying?

Oh ****, is that new or did I just never see it before?


Went live when the dev site went live. Didn't make a huge fuss about it as there were not refresh tokens around and no private data.

@CCP_FoxFour // Technical Designer // Team Tech Co

Third-party developer? Check out the official developers site for dev blogs, resources, and more.
Ydnari
Estrale Frontiers
#132 - 2014-11-30 17:41:11 UTC
CCP FoxFour wrote:
https://community.eveonline.com/support/third-party-applications/

You were saying?

Nice.

Looking at that I wonder if the SSO login page would benefit from the up-to-three characters being displayed with portraits like that, with the faces being buttons to authorise as that character?

It'd be a better user experience than a dropdown. I always have to open up the dropdown and find my character since I'm sorted last alphabetically, so it's three clicks (open dropdown, click name, click button) when it could be one (click character face).

It'd then work a lot like the in-game login screen, which would be a really nice bit of consistency.

--
Amose Amanum
State War Academy
Caldari State
#133 - 2014-12-01 01:09:21 UTC
Can I get access please?

Name: Yet Another Eve Market App
ID: 722fa9a1c99644929586ab6bd5431e31
CCP FoxFour
C C P
C C P Alliance
#134 - 2014-12-01 08:51:18 UTC
Amose Amanum wrote:
Can I get access please?

Name: Yet Another Eve Market App
ID: 722fa9a1c99644929586ab6bd5431e31


Done

@CCP_FoxFour // Technical Designer // Team Tech Co

Third-party developer? Check out the official developers site for dev blogs, resources, and more.
CCP FoxFour
C C P
C C P Alliance
#135 - 2014-12-01 08:53:54 UTC
Steve Ronuken wrote:
Can I get 7e5d5a8e8e5f45d78e43f302cceeb43d (Fuzzwork Native) authorized for the public data scope, thanks.

just want to see about working up an example of how to do it at least semi properly on windows Smile


Done

@CCP_FoxFour // Technical Designer // Team Tech Co

Third-party developer? Check out the official developers site for dev blogs, resources, and more.
CCP FoxFour
C C P
C C P Alliance
#136 - 2014-12-01 08:54:30 UTC
Nuke Cherenkov wrote:
Please add access for:

Python standalone app
e337559af9f145f08d83be165b3263b7


Done

@CCP_FoxFour // Technical Designer // Team Tech Co

Third-party developer? Check out the official developers site for dev blogs, resources, and more.
CCP FoxFour
C C P
C C P Alliance
#137 - 2014-12-01 08:54:49 UTC
OK, that should be everyone. If you want access and don't have it let me know.

@CCP_FoxFour // Technical Designer // Team Tech Co

Third-party developer? Check out the official developers site for dev blogs, resources, and more.
Kaladr
Viziam
Amarr Empire
#138 - 2014-12-02 06:55:53 UTC  |  Edited by: Kaladr
Two quick questions:

Any followup for the availability of the volume entered for an order being exposed?
Any ETA on the /universe/locations/ endpoints be available? Also, the href on an order is currently also not available.

Creator of EVE-Central.com, the longest running EVE Market Aggregator
Kivorno
Myanapa Corsica
#139 - 2014-12-02 16:20:56 UTC
Sign me up!

App: Eve-Merchant
Client-id: 50e997dd0b4b404480a49320e70d8849

Proud creator and developer of Eve-Merchant / Eve-Merchant Sprint
Aineko Macx
#140 - 2014-12-02 19:01:11 UTC
Sign me up too plz.

App: iveeCore
id: 14ea5ffa75224ac29332ef0e330d9bff

iveeCore 3.0: The PHP engine for industrial activities and CREST library