These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Technology Lab

 
  • Topic is locked indefinitely.
 

3rd Party non-browser app and OAuth2
Author
Previous Topic Next Topic
Padruda Ehinu
Renipran
#1 - 2017-03-20 16:45:43 UTC
Hello out there,

I have questions regarding the OAuth2 SSO of EVE and the development of 3rd party apps.

I am developing a tool for myself and later my alliance to handle certain tasks.(Namely: Everything in one tool)

I want to use the CREST API as well. That means, I have to come across a way to use the SSO and retrieve a user auth token(as from the 3rd party developer guide).

I think of following:
- The User connects to my server app (with the client app)
- If the client doesn't have a server auth token OR it expired on the server side, request a new one
- - Server has a HTTP Server running and his own server thread.
- - Server creates a SSO URL and sends it to the client
- - The client opens the browser and user logs in
- - redirect_uri points to the server HTTP instance
- - Server stores the data, creates a app specific token and sends it the client for session usage.
- If client has an auth token AND sso token is valid:
- - continue normal stuff

Does this break the trust chain?

As far as I understand, I have to let the user add his credentials on the SSO website and retrieve my token. Am I allowed to set the redirect _uri to my server app and proxy the access_token there?
Snitch Ashor
Republic Military School
Minmatar Republic
#2 - 2017-03-23 15:35:26 UTC
Padruda Ehinu wrote:
Hello out there,

I have questions regarding the OAuth2 SSO of EVE and the development of 3rd party apps.

I am developing a tool for myself and later my alliance to handle certain tasks.(Namely: Everything in one tool)

I want to use the CREST API as well. That means, I have to come across a way to use the SSO and retrieve a user auth token(as from the 3rd party developer guide).

I think of following:
- The User connects to my server app (with the client app)
- If the client doesn't have a server auth token OR it expired on the server side, request a new one
- - Server has a HTTP Server running and his own server thread.
- - Server creates a SSO URL and sends it to the client
- - The client opens the browser and user logs in
- - redirect_uri points to the server HTTP instance
- - Server stores the data, creates a app specific token and sends it the client for session usage.
- If client has an auth token AND sso token is valid:
- - continue normal stuff

Does this break the trust chain?

As far as I understand, I have to let the user add his credentials on the SSO website and retrieve my token. Am I allowed to set the redirect _uri to my server app and proxy the access_token there?


What you scetch there sounds technically fine to me. It is exactly the way how browser apps work. In your description, replace client with 'browser' and sso token with 'cookie' or 'password login' and it's a browser app.

Cheers,
Snitch