Keeping other accounts in cozy

[Mihnea Dobrescu-Balaur]

When thinking about this issue[1] I realised that the user that wants to import contact data from (say) Google will have to grant OAuth permissions for that. Later on, maybe the user will also want to import tasks from Google - that will require a new OAuth permission probably.

This reminded me of the way you set up accounts on Android and how they are available between apps. I think that this would make sense for cozy - to have an “accounts” app in which you can connect your Google, Facebook etc. accounts (again, like on Android) and then, via permissions, allow cozy apps to interact with the data you have on those providers.


What do you think?


[1] https://github.com/mycozycloud/cozy-contacts/issues/22

--
Mihnea Dobrescu-Balaur

[Joseph Silvestre]

Frank developped  this application, it's called Konnectors : https://github.com/frankrousseau/konnectors

It currently supports Twitter (public), RescueTime and Jawbone, we are planning on adding Withings soon.

The real issue with this application is that setting it up for you is not trivial, especially if you aren't a technical guy because of oAuth's nature (not made for decentralized apps...) so it's not smooth to add new accounts :-/

[Mihnea Dobrescu-Balaur]

Oh right, something like that. We should look into doing this in a more user friendly way. Android is doing it somehow on the devices.

Will check.

--
--
Mihnea Dobrescu-Balaur
Sent from a mobile device.

[Joseph Silvestre]

If you find a way to have the oauth workflow working smoothly I will you buy more beers than you can drink :D Unfortunately, part of the workflow is "the developer registers its app in the backoffice of the provider" (google, facebook). Said step must be done by the user in our case...or we must provide a third-party service like https://foauth.org/

I hope you can find a subtility in oAuth to avoid that!

[Mihnea Dobrescu-Balaur]

Haha :))

So I'm not sure about OAuth subtleties (will check, as I said), but
what about having the user store their credentials in their own cozy?
Its the user's data anyway. I think this is how Android does it (since
they ask for username & password).

--
Mihnea Dobrescu-Balaur

[Mihnea Dobrescu-Balaur]

I think this is the function that is used:
http://developer.android.com/reference/android/accounts/AccountManager.html#addAccountExplicitly%28android.accounts.Account,%20java.lang.String,%20android.os.Bundle%29

--
Mihnea Dobrescu-Balaur

[Joseph Silvestre]

Yes that's a solution IF the provider (facebook, twitter) provides an API with basic authentication. Apparently, they don't (from what I've seen) for good reasons (the whole oAuth point, actually, is preventing the user from giving his credentials to third party clients) but I may have missed something (I'd love to have missed something :D).

Tell us if you find something I've missed!

[Mihnea Dobrescu-Balaur]

Hm, what about this?
https://developers.google.com/accounts/docs/OAuth2InstalledApp

--
Mihnea Dobrescu-Balaur

[Joseph Silvestre]

Oh, I'm glad you made the search after me because that page has changed and looks more friendly to us now! Yes, that will work! Unfortunately, it's not a standard workflow and depends too much on the will of the provider to provide it :-/ (Twitter doesn't have it unless they've changed something recently).

[Mihnea Dobrescu-Balaur]

Just to make sure we are on the same page: do we accept the idea of havig a registered app, and the only problem is that we don't know the URL for any given user that has cozy? Or do we not want to have a registered app, since that would imply that when you import your stuff, cozy also gets acces to it (since it has your token)?

[Joseph Silvestre]

I'm not sure I understand you properly, could you please rephrase or explain further the matter? Thanks!

[Mihnea Dobrescu-Balaur]

I see two [potential] problems with OAuth:

1. There has to be a registered app. There could be a “central”, Cozy OAuth registered app. But then for a person to use it to manage their data, they basically allow a 3rd party (Cozy) to access their data, and this defeats the purpose of having your own cloud/data.

2. The registered app needs to have a URL set (the URL from where the request comes). Since people can self-host Cozy, we cannot know beforehand what URL they will use.

Am I missing something or are both problems valid?

--

Mihnea Dobrescu-Balaur

[Joseph Silvestre]

Ok I understand better, thanks for the expanded explanations, I wasn't sure of what you were talking about.

So for 1°) and 2°), we would like to avoid (almost at all cost) to register an app for the behalf of the users for the two specific reasons you listed (+ the maintenance costs of hosting a foauth or anything like this).

That's why we need to make specific pieces of code for each provider: Google seems to authorize unregistered app to connect, Twitter allows you to make the handshake manually once in its backend, but not for all its API (see Konnectors), I haven't look at Facebook but there might be something too (or not).

The other way would be to scrap the data but 1°) it's kinda forbidden 2°) that would require a lot of work

What do you think?

Thank you again for your time and your ideas!

[Mihnea Dobrescu-Balaur]

I don’t think scraping the data is a way to go.

I’d say to try and integrate Google since it works (it seems to at least) as we want, and see from there. Having Google integration is already a big plus (since many people use Google Contacts - all of Android, and Google Calendar).

Happy to help :)

--
Mihnea Dobrescu-Balaur

> > wrote:
> >
> > I'm not sure I understand you properly, could you please rephrase or
> > explain further the matter? Thanks!
> >
> >
> > 2014-04-14 10:42 GMT+02:00 Mihnea Dobrescu-Balaur :
> >
> >> Just to make sure we are on the same page: do we accept the idea of havig
> >> a registered app, and the only problem is that we don't know the URL for
> >> any given user that has cozy? Or do we not want to have a registered app,
> >> since that would imply that when you import your stuff, cozy also gets
> >> acces to it (since it has your token)?
> >>
> >>
> >> On Monday, April 14, 2014, Joseph Silvestre <
> >> joseph.s...@cozycloud.cc> wrote:
> >>
> >>> Oh, I'm glad you made the search after me because that page has changed
> >>> and looks more friendly to us now! Yes, that will work! Unfortunately, it's
> >>> not a standard workflow and depends too much on the will of the provider to
> >>> provide it :-/ (Twitter doesn't have it unless they've changed something
> >>> recently).
> >>>
> >>>
> >>> 2014-04-12 23:47 GMT+02:00 Mihnea Dobrescu-Balaur :
> >>>
> >>> Hm, what about this?
> >>> https://developers.google.com/accounts/docs/OAuth2InstalledApp
> >>>
> >>>
> >>> On Wed, Apr 9, 2014 at 12:38 PM, Joseph Silvestre

> >>> wrote:
> >>> > Yes that's a solution IF the provider (facebook, twitter) provides an
> >>> API
> >>> > with basic authentication. Apparently, they don't (from what I've
> >>> seen) for
> >>> > good reasons (the whole oAuth point, actually, is preventing the user
> >>> from
> >>> > giving his credentials to third party clients) but I may have missed
> >>> > something (I'd love to have missed something :D).
> >>> >
> >>> > Tell us if you find something I've missed!
> >>> >
> >>> >
> >>> > 2014-04-09 10:58 GMT+02:00 Mihnea Dobrescu-Balaur :
> >>> >
> >>> >> I think this is the function that is used:
> >>> >>
> >>> >>
> >>> http://developer.android.com/reference/android/accounts/AccountManager.html#addAccountExplicitly%28android.accounts.Account,%20java.lang.String,%20android.os.Bundle%29
> >>> >>
> >>> >> On Wed, Apr 9, 2014 at 10:52 AM, Mihnea Dobrescu-Balaur

> >>> >> wrote:
> >>> >> > Haha :))
> >>> >> >
> >>> >> > So I'm not sure about OAuth subtleties (will check, as I said), but
> >>> >> > what about having the user store their credentials in their own
> >>> cozy?
> >>> >> > Its the user's data anyway. I think this is how Android does it
> >>> (since
> >>> >> > they ask for username & password).
> >>> >> >
> >>> >> > On Wed, Apr 9, 2014 at 10:05 AM, Joseph Silvestre

> >>> >> > wrote:
> >>> >> >> If you find a way to have the oauth workflow working smoothly I
> >>> will
> >>> >> >> you buy
> >>> >> >> more beers than you can drink :D Unfortunately, part of the
> >>> workflow is
> >>> >> >> "the
> >>> >> >> developer registers its app in the backoffice of the provider"
> >>> (google,
> >>> >> >> facebook). Said step must be done by the user in our case...or we
> >>> must
> >>> >> >> provide a third-party service like https://foauth.org/
> >>> >> >>
> >>> >> >> I hope you can find a subtility in oAuth to avoid that!
> >>> >> >>
> >>> >> >>
> >>> >> >>

> >>> >> >> 2014-04-09 9:56 GMT+02:00 Mihnea Dobrescu-Balaur > >>> >:

> >>> >> >>
> >>> >> >>> Oh right, something like that. We should look into doing this in a
> >>> >> >>> more
> >>> >> >>> user friendly way. Android is doing it somehow on the devices.
> >>> >> >>>
> >>> >> >>> Will check.
> >>> >> >>>
> >>> >> >>>
> >>> >> >>> On Wednesday, April 9, 2014, Joseph Silvestre