Re: OAuth2 implementation in Elisp

[Ted Zlatanov <tzz@lifelogs.com>]

On Mon, 26 Sep 2011 16:23:48 -0500 Ted Zlatanov <tzz@lifelogs.com> wrote: 

TZ> On Mon, 26 Sep 2011 17:04:18 +0200 Julien Danjou <julien@danjou.info> wrote: 
JD> When the client is a native client (like Emacs), the user is sent to an
JD> URL where the OAuth provider prints the following:

JD> "The application $REGISTERED-APPLICATION-NAME is trying to access your
JD> data in $THIS-WAY. Is this OK?

JD> [YES] [NO]"

JD> If the user clicks yes, an authorization code is printed, the user give
JD> it to Emacs, and Emacs can obtain an access token from the OAuth
JD> provider to access the user data. Point.

TZ> You are asking the user to visit a URL (with `browse-url') with an
TZ> external web browser that can run Javascript, then maybe they get back
TZ> an auth code, and then they paste it back to Emacs.  The way you have
TZ> written oauth2.el, anyone that has customized `browse-url' to use w3m or
TZ> other non-Javascript browsers will not know that something went wrong.
TZ> Maybe oauth2.el should check for that case.

I've confirmed this is completely broken with w3m, at least.  I can't
even use the "OK" button in the displayed screen because oauth2.el is
waiting for me in the minibuffer, and of course w3m can't process the
form because it doesn't store cookies by default (I didn't go further in
the testing).  So please check that `browse-url' is not set to one of
the internal Emacs choices.

Thanks
Ted