eksime.4761 Posted January 11, 2018 Share Posted January 11, 2018 Since oauth appears to no longer be available the process of signing into an app isn't hugely intuitiveTo work around this, is it allowable to authenticate users/generate an api key for your app by interacting with account.arena.net ? I'm assuming not - though it would make the login flow for new users more simple Link to comment Share on other sites More sharing options...
Eearslya.6309 Posted January 12, 2018 Share Posted January 12, 2018 So, you're suggesting that we give third-party apps our login credentials directly? What could possibly go wrong with that?API keys aren't the most intuitive method of authentication, but it's certainly more secure than that. Creating a nicely detailed set of steps for users to follow can make the process simple as well. Link to comment Share on other sites More sharing options...
eksime.4761 Posted January 12, 2018 Author Share Posted January 12, 2018 Yeah I can't think of anything less secure :( but it sure does make it simpler.keys + instructions it is, I guess, then ^^ I do wonder why oauth was removed though... the wiki seems to suggest it worked at some point (?) Link to comment Share on other sites More sharing options...
Illconceived Was Na.9781 Posted January 12, 2018 Share Posted January 12, 2018 @"Ghirkin.4689" said:Yeah I can't think of anything less secure :( but it sure does make it simpler.keys + instructions it is, I guess, then ^^ I do wonder why oauth was removed though... the wiki seems to suggest it worked at some point (?)https://forum-en.gw2archive.eu/forum/community/api/HEADS-UP-OAuth2-being-replaced-next-week/ Link to comment Share on other sites More sharing options...
Leablo.2651 Posted January 15, 2018 Share Posted January 15, 2018 @"Ghirkin.4689" said:Yeah I can't think of anything less secure :( but it sure does make it simpler.keys + instructions it is, I guess, then ^^ I do wonder why oauth was removed though... the wiki seems to suggest it worked at some point (?)To my knowledge there was never a real explanation, just a "concern" originating from outside the API team. I believe it had to do with wanting user-settable permission levels for the API, although once you've enabled any API key with the basic permissions you're already giving away your personally identifying information and there is relatively little value in hiding the rest. I still don't see the value in dropping OAuth for this but that's what happened. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.