These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Technology Lab

 
  • Topic is locked indefinitely.
 

Application CREST Authentication

First post
Author
Previous Topic Next Topic
Cinnaa
Investment Grade Metals
#1 - 2015-01-25 21:07:29 UTC
I seem to be really confused with how to authenticate my application with CREST....

I went to the developers site and registered my application. From this I received a Client Id and a secret key.

Do I use this data to authenticate my application? Or do I use SSO to authenticate myself?

I've got Postman installed into Chrome - could anyone explain the steps I need to use to authenticate my application? My intention is to get the market data.

Please feel free to a documentation link that I must have missed as I see many people are doing this successfully.... I must be missing something really simple here!

Thank you,
Cinnaa
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#2 - 2015-01-26 12:35:55 UTC
Your application should always throw the user out to their web browser to go through the authentication steps, and then have them redirected back to your application in some fashion.

Two common ways to do it:
Embed a webserver to handle the redirect. (so you redirect to something like http://localhost:3423/login, and that gets the details needed to finish the auth)

Have a helper application which you register as a handler for a custom url scheme. like steveisawesome://localhost/login. That communicates with your regular application, probably with socket code, to hand over the auth details. you use the custom url scheme as the redirect uri on the developers site.

You use the client id and secret to identify who your application is to the SSO. The user still uses their regular details with it.


If you're only using the application yourself, you can cheat a bit, and use a pregenerated refresh token. You just wouldn't want to distribute that.

For OAUTH2, you don't want to use the postman which embeds into chrome, but the packaged app version you can get from https://www.getpostman.com/

There's a full oauth2 client, which tells you how to set it up. (you have to set the redirect_uri properly with it)

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Cinnaa
Investment Grade Metals
#3 - 2015-01-26 17:30:23 UTC
Hi Steve,

Thanks for your reply.

If I have understood this correctly, for my application to get market data *IT* needs to authenticate into CREST?

Or is it that a user authenticates into CREST and as part of that back end process my applications details are passed so that CCP knows for which application the user is authenticating? So the authentication is always as a user rather than an application?

If I was running a daily (say) Cron job to get market prices how would it authenticate? Using a pre-generated refresh token?

Thanks again,

Cinnaa
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#4 - 2015-01-26 19:05:59 UTC
If you can read PHP, https://github.com/fuzzysteve/CrestLibrary may be of interest.


I generated a refresh token, and stuck it into the configuration file (for the example code)

Now, when my application needs to talk to CREST, it uses that refresh token to create an access token. That access token is for my account, with the appropriate privileges. No username/password required at that point.

I/My application can then use CREST, authenticated as me, getting new tokens, as the old tokens come up for expiry.

Does that make sense?

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Pete Butcher
The Scope
Gallente Federation
#5 - 2015-01-26 20:45:14 UTC
Steve Ronuken wrote:
Your application should always throw the user out to their web browser to go through the authentication steps, and then have them redirected back to your application in some fashion.

Two common ways to do it:
Embed a webserver to handle the redirect. (so you redirect to something like http://localhost:3423/login, and that gets the details needed to finish the auth)

Have a helper application which you register as a handler for a custom url scheme. like steveisawesome://localhost/login. That communicates with your regular application, probably with socket code, to hand over the auth details. you use the custom url scheme as the redirect uri on the developers site.


For reference, this methods will only work in the simplest of cases. As I explained here setting up a local server or using a custom scheme may not work everywhere. There are also two options of authenticating which I use in Evernus:

1. Embedded web engine/view opening the login site and receiving the code in return.
2. Opening an external browser/showing an auth link, which redirects to own website with a code that can be pasted into the application, which then fetches the token.

http://evernus.com - the ultimate multiplatform EVE trade tool + nullsec Alliance Market tool
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#6 - 2015-01-26 21:01:44 UTC
Embedding the web engine leads to very poor practices though.

You should never have your application request (directly) a users Eve username and password. Ever. At all. Yes, it may be in an embedded web browser, and you don't actually see it. Still, it's incredibly bad practice for user education.

The second method isn't so bad. You could even extend it, so that it sends the client to your site, with a unique identifier, where they then go through the normal auth method (hit your site, create a session there, auto redirected to auth where they auth and it comes back, filling in the details in that session) and your app just polls every so often for that unique identifier, till it times out, or they're authed.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Cinnaa
Investment Grade Metals
#7 - 2015-01-26 21:59:31 UTC  |  Edited by: Cinnaa
Steve Ronuken wrote:
If you can read PHP, https://github.com/fuzzysteve/CrestLibrary may be of interest.


I generated a refresh token, and stuck it into the configuration file (for the example code)

Now, when my application needs to talk to CREST, it uses that refresh token to create an access token. That access token is for my account, with the appropriate privileges. No username/password required at that point.

I/My application can then use CREST, authenticated as me, getting new tokens, as the old tokens come up for expiry.

Does that make sense?


Hi, so to confirm there is no concept of an application being authorised on CREST - it is always for a user (who is using a given application).

I need to read up more on SSO and look through your code in more detail.

The only thing I can't get from reading this https://developers.eveonline.com/resource/single-sign-on is when I exchange the auth. code with an access token I get back a JSON response with a refresh_token field - when I now make a CREST call I need to pass in this token or is it the access_token field (presume the latter)?

How do I keep this "alive" so I can keep using it?


Thanks to everyone for the replies.