very poor oauth flow - any planned improvements?

[Nic Ferrier]

I have been playing with the Python flow. It's appallingly bad.

First, you can't just oauth, users have to define an app first and then oauth to that. That's not the point of oauth. What an utterly silly thing to do. The point of oauth is to allow tools to be authorized. Why should the user have to pre-authorize the app with their preferences and THEN authorize it again with auth. You might as well just let them hand out a secret.

Second, the current oauth examples seem very dependent on the Google Oauth lib, which is exotic to say the least. Better examples using standard oauth libs would be good.

Third, it doesn't seem possible to request, or grant, a long lease time. I don't know if this is a system config parameter elsewhere in versionone but a 600second lease time on an access token is not very long.


Please make it better?

[Adam Anderson]

I agree that the current OAuth implementation makes things quite difficult. Forcing users to jump through so many hoops hurts usability of any application using the API. While it is possible to hide the extra steps from the user by scraping the HTML and displaying a custom UI for pre-authorizing applications, this is extremely fragile and far from ideal.

One way to deal with the short expiration would be to determine if the token has expired before each request. If it has, submit a refresh request before submitting your original request.

[Nic Ferrier]

Joe Koberg of versionone hit me up with some specific suggestions about refresh. Sadly they look difficult to implement, at least with the Python API, because the http call that you need to hack is embedded in google's oauth client.

It's all a bit frustrating.