EVE Technology Lab

it depends on what kind off "application" you want..
you say that you aren't making a website, then what? what langues? (like c#, c++, java, phyton, ect..)

provide that information and we can help you more.

The CREST OAUTH loop back requires a URL. With a desktop app you do not have that.

In order to make it work you'd need to pop a browser window and the capture the return from an online source via a web service or maybe (shudder) hijack the return query string data using OLE or something.

Iirc CCP mentioned the SSO for crest was for websites only but check with FoxFour.

Edit: not sure this would work or be allowed but you could set the return url to a http://localhost:blahport address and then bind to that port from your application.

You can check out the source code for evernus and see how it's handled there. It basically uses 2 methods: internal Web engine for the user to authenticate, and opens an external browser and waits for the users to input a code from it. The first method is best for reliability, while the second is best for user trust.

Everything I see suggested is basically a hack. Probably be easiest to just HTTP get the form. HTTP post a form submission as if I was a browser and then parse the token out of the response.

Not too difficult, but it leaves me feeling slightly dirty.

Anyway, thanks for the suggestions.

https://github.com/fuzzysteve/CREST-Market-Downloader

uses CREST to download market data.

Handles the auth by throwing the user off to their system browser to do the authentication, and gets the relevant tokens by having an embedded webserver, which acts as the endpoint you're redirected back to.


If you embed a web browser in your application, I'm not going to use it (and neither should anyone who doesn't trust you. As I can't reach out and touch you, I'm likely never to trust you enough)

So I'm basically stuck with two options,
1. build an embedded browser into the app (which quite rightly should not be trusted, could compromise my eve account)
2. build an embedded server into the app and on installation get the person to open a port on their firewall where the app will listen (which should REALLY not be trusted, it could be receiving commands from anywhere and doing pretty much anything on my computer, compromise my entire PC)


None of this really matters in my case because I am building this application for myself, but if someone was building a fat client app for the general public, is there any way they can use SSO that would be "trustworthy"? It doesn't seem so.

Well, Evernus has CREST since it was introduced to us, and I can confirm - there is no good way to make it work with the best UX and full trust for desktop apps. OAuth is better suited to web applications. Real world experience shows that:

• Embedded browser has the best UX, best reliability, but the worst trust.
• External browser with manual code input has the worst UX, but it's quite reliable (although not as much as embedded) and trustworthy.
• Local web server has the same worst UX and it's not reliable at all.

You should discard local web server (unless you want a ton of bug reports, which you wouldn't be able to fix in any other way than dropping the idea), and focus on external auth with manual input and embedded web server. I have them both in Evernus and the user can choose what he/she prefers. Embedded server is used by default to smoothen the UX, but the user can press a button and through browser-based auth. It's been around around for months and I get absolutely no complaints and no bug reports about it.



That is very true, but if you make some kind of in-app form to log into Eve, I doubt anyone will use that. That method should not be used at all.

And that's where you are wrong. For example - my 3 home machines and 2 work machines would not allow that. I bet most corporate machines will scream if any app tried to do that. Add to that other applications which can already open this particular port and you're pretty much screwed. Screwed because it's something that cannot be dynamically changed by the application. Local server is absolutely the worst of the 3 options, since it has the worst UX, has the least chance of working properly and cannot be dynamically fixed on the user side. Also it doesn't inspire much trust, since you will never know if it's contacting some C&C server and stealing your private data from your disk.

That's another option, but it's less secure than local server and manual input. It takes more time, because the app needs to ping the server. It also wastes resources, since the app needs to constantly ping it until success. Add to that the increased complexity, and I think simple Ctrl+C, Ctrl+V from a browser, into the app is a cleaner solution.
A real solution would be an auth method better suited for desktop apps, but I don't think it will happen soon, if at all.

I assume the target is not only 'properly locked down corporate machines', but potentially any machine with a firewall/iptables/whatever that can block ports, local or not. That is a potentially large chunk of userbase being discarded for no real reason. Also, if another app is already listening on a given port, you're screwed. Maybe if CREST disregards ports for redirect URLs, that would be partially solvable, but it would invoke searching for another port which could work (or manual input, which would just **** off users). And there's another issue - if another app would require a port which was stolen by our app, the user would surely be pissed off. Try to explain such situation to a stereotypical dumb user. And for what? To save a Ctrl+C, Ctrl+V? That's just absurd.