Re: OAuth2 implementation in Elisp

[Ted Zlatanov]

On Mon, 26 Sep 2011 17:04:18 +0200 Julien Danjou <address@hidden> wrote: 

JD> On Mon, Sep 26 2011, Ted Zlatanov wrote:
>> I hope I don't have to know how to implement OAuth2 in order to
>> understand your answer to that question.

JD> No. But you have to understand how it works and how to use it at least,
JD> so your questions would make sense. Right now you are just proving you
JD> know nothing about OAuth 2 and that you don't trust my judgement on
JD> implementing things.

That's a stretch based on my questions, especially the latter part.

JD> Which could put me in a bad mood.

Sorry to hear that.  I am interested in a) using this code myself, and
b) making sure users don't send me questions like "what do I do now?
Emacs is asking me to enter some code."  From my viewpoint what you
posted will not help with (b).  Upsetting you was not intended.

JD> Now, I'll explain why we can't make Emacs act like a Web apps to you.

JD> When the client is a native client (like Emacs), the user is sent to an
JD> URL where the OAuth provider prints the following:

JD> "The application $REGISTERED-APPLICATION-NAME is trying to access your
JD>  data in $THIS-WAY. Is this OK?

JD>   [YES] [NO]"

JD> If the user clicks yes, an authorization code is printed, the user give
JD> it to Emacs, and Emacs can obtain an access token from the OAuth
JD> provider to access the user data. Point.

JD> If the client is a Web application, the user is sent to the same URL,
JD> but when clicking [YES], no code are printed: instead the user is
JD> redirected by to the Web application.

This is what I saw in the IETF draft.  It is the better workflow.
Asking users to retype visible strings in Emacs is... unusual for an API.

Why can't Emacs pretend to be a Web application?  Is it somehow less
capable than other web browsers?

Thanks
Ted