OAuth is a pain to use for desktop applications

May 10th, 2009 · Seth · Web View Comments - Tags: , ,

OAuth (used by the likes of Twitter and others) is a protocol designed to negate the need for users to give 3rd-parties their username & password. A laudable goal!

However, using it can be a real pain when building a desktop application.  It’s easiest to describe the problem with an example.

Say you want to build a desktop application that integrates with Twitter.  To do so, you have to signup for an API account at Twitter (true for any OAuth service provider), and obtain a secret key which you must ensure never falls into the hands of anyone but you and your application.  The reason this key must stay secret is that it is used to create a hash (OAuth refers to it as signing)  of every API message sent from your application to the OAuth service provider; lose the key, and anyone can impersonate your application.

So the secret key must stay secret.  And what do you, the hapless  developer, do?  You put it on a server, because it’s the only place you can ensure that it stays safe.  So, now, for your desktop application to do anything with the API, it has to send messages up to your server to have the API message signed.

Now here’s the real sticking point.  You have to know the identity of the user before signing the request coming to your server.  And how do you know that?  The user has to somehow log in to this server you were using previously just to perform signing.

Great. Now the user has to create a username & password to your site, just so you can use OAuth with Twitter.

So, in the end, you users still have to get involved with a username & password.  Sure, your Twitter username & password stays locked in Twitter… which is good, no question. But the user experience is still cumbersome, and the amount of work the developer to do is quite high, especially in the case that you don’t already have a web site and login process.

So, in summary, to make a desktop application secure with OAuth, you are forced to make a website with a login if you don’t already have one.  Ouch.

I’m admittedly new to OAuth but as far as I can tell, this is the state of affairs with OAuth and desktop applications.