OAuth API?
Worvast.3957:
I would ask if it will develop, now that exist API, OAuth system to develop applications using user information when they allow access
My main interest is all orientad to sPvP and organization of leagues, measuring the quality of the players, games, etc, but sure other developers now are thinking of hundreds of uses
The Talcmaster.7391:
Vanilla OAuth actually has gaping security holes in its design. It is good only for associating non-sensitive information to an external account. GW2 already has a Single Sign On implementation in place that allows you to access the game, this forum, and the trading post with the same login. I would expect that anything deemed sensitive will be put behind this existing SSO login.
Varonth.5830:
Vanilla OAuth actually has gaping security holes in its design. It is good only for associating non-sensitive information to an external account. GW2 already has a Single Sign On implementation in place that allows you to access the game, this forum, and the trading post with the same login. I would expect that anything deemed sensitive will be put behind this existing SSO login.
And all of these happen on ANet servers. You don’t want to login on a 3rd party site using your login credentials aren’t you?
We need some sort of token system for personal informations.
The Talcmaster.7391:
I know enough about OAuth that I wouldn’t want anything that could give people access to my account associated with it either.
Worvast.3957:
To me with a system that can verify authorship of an identifier (eg Worvast.3957) would suffice.
Eg
Authoring identifier
Create guilds on my web
User join clans
Result:
Leaderboard: Overview of the real level of a team/guild in sPvP, for server or for region. Push videos, info, ¡verify profile with real info for users and guilds!
Achievements: Visibility of activity/‘achievement seekers’ from the guilds = more visibiity for active guilds.
And if they give some kind of information to any user who is not sensitive (Server, profession, etc) could give useful information for census, WvW and sPvP
All this without being able to prove ownership of your identifier ends possibly on a false analysis or unreliable if you allow this type of information on your web from guilds or roosters.
This is only one example, verify authorship of an identifier would be quite interesting
The Talcmaster.7391:
The way sites could work would be the same way a login to the trading post works: You ask to log into the site, it checks for your forum login cookie, and if one doesn’t exist, sends you to the forum login instead. No need to enter information into a 3rd party site. The problem arises in the ability to prevent that website from doing something like changing your password in the forum (this is why you are required to enter your existing password to do so). The OAuth specification would not solve this problem either. http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html
Long story short, if a piece of information could be used maliciously by someone, I would not expect it to be available outside the game for a long time. Of course, if they implement an in-game API, the sky is the limit.
Worvast.3957:
The way sites could work would be the same way a login to the trading post works: You ask to log into the site, it checks for your forum login cookie, and if one doesn’t exist, sends you to the forum login instead. No need to enter information into a 3rd party site. The problem arises in the ability to prevent that website from doing something like changing your password in the forum (this is why you are required to enter your existing password to do so). The OAuth specification would not solve this problem either. http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html
Long story short, if a piece of information could be used maliciously by someone, I would not expect it to be available outside the game for a long time. Of course, if they implement an in-game API, the sky is the limit.
The current cookie has no information about the identifier, and also is fairly easy to fake.
They could put some kind of token in the cookie and use this token with the API, also could end up in a massive search of tokens to search identifiers, although this is less likely to occur, this options exists
So I think the best way is to work security API and provide access to such no sensitive information is the better that can happen to the game to get a lot of third party applications