Read the statement by Michael Teeuw here.
OAuth flows, thoughts and considerations. Looking for feedback.
Sorry this may get a bit lengthy.
I recently joined MagicMirror community and started to play around and develop modules. I’m not a newbie to coding, but never really worked on a node based project. I’m learning as I go along and looking at many great modules that folks have created around here to understand how thing are done. Throughout my career I’ve worked with a bunch of API providers building apps, clients and bots.
As I’m venturing into building another module I have been having some thoughts and considerations about how API access, tokens and user authentication is handled by different modules. Some of the API providers make it easy to obtain access to their keys, some make it difficult. Others don’t, sometimes they restrict who can sign up for API access, how they sign up,
At the moment I’m looking into creating a module to display data from Runkeeper. They have fairly standard OAuth2 authentication and it’s pretty trivial to create an app and get access token from them. Once my module is published I would like to make sure that potential users have a pleasant experience, that they can easily set it up and get it running with minimal effort. I don’t want to burden them with going through process of creating their own application on API provider site, getting client_ids, secrets, scopes, doing OAuth dance and finally getting a token that they can put in the config. All of the above steps can lead to unnecessary confusion, frustration and additional support responsibilities for me as a developer of the module.
Which leaves me with a few options on how to handle data source API access and user authentication. I’m sure this is not a full list of options, but some of the options that I’ve considered.
My App + My Site = Your Token: As a developer of the app I create an app with API provider and provide a very user friendly webpage where OAuth2 Authentication takes place and access token is granted and displayed to be inserted in the module config.
Your App + My Site = Your Token: I provide a list of instructions along with the module on how and where to register for the app, user registers and then uses my site to enter needed info (client_id, secret etc) to get access token that can be used with the module config. I don’t store any of the info and just provide friendly web interface to get that done.
Your App + My Script = Your Token: I provide a list of instructions along with the module on how and where to register for the app, after cloning the module repo user can run a script that will spin up a temporary local webserver to accept OAuth callback and get access token that can be entered into config for the module.
Theoretically I can combine 2 and 3, or even offer all 3 options. Number one is probably most user friendly way, but depending on popularity of the module rate limiting may come into effect. 2 & 3 will likely require more effort from users and possibly more support from me.
Any thoughts or suggestions on this?