I'm building a plugin for an RSS desktop client which allows users to directly flattr things (i.e. blog posts) from within the client. Since it's a Java application I use flattr4j, which itself works fine so far.
My only remaining problem centers around the authorization workflow, which uses OAuth 2.0. Since flattr uses the authorization workflow described in section 4.1 of the OAuth 2.0 spec, I need to adhere to the prerequisites mentioned there, i.e.
The authorization code grant type is used to obtain both access tokens and refresh tokens and is optimized for confidential clients. As a redirection-based flow, the client must be capable of interacting with the resource owner's user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorization server.
I managed to implement this workflow by
embedding a web browser control into my application (I could problably use the user's real web browser as well)
running a tiny local HTTP server which gets hit by the web browser via the OAuth callback URL mechanism in order to receive the OAuth code
Especially the last point looks error-prone to me. Since I need to register the callback URLs in advance (e.g. in my case http://localhost:port/whatever), I'm forced the speculate about a safe, non-used local port in order run a local HTTP server which receives the OAuth code at the end of the authorization workflow.
On the other side the flattr4j documentation mentions a different workflow, which looks more appealing to me for my use case:
"Client" based applications cannot offer a callback URL. Desktop or mobile device applications, for example, do not run a web server at all. For client based applications, Flattr will show a validation code on the website. The user will be required to enter the code in your application, in order to complete the authentication process.
And some lines further down:
When the user accepts, a validation code is generated by Flattr. If the application was registered as "Browser" typed, the callback URL you stated will be invoked with the code and the state as parameters. For "Client" applications, the code is presented to the user instead, and he is asked to enter the code in your application manually.
This workflow might not be perfect, but much more robust for a desktop application in my opinion.
(As for the application registration: I registered my application with the platform Desktop (Any). The platform seems to be more fine-grained compared to the above mentioned "Browser" vs. "Client" alternatives.)
So my questions are:
- Is a callback-less OAuth workflow still supported by Flattr? (Was it ever supported?)
- If so: how can I initiate this workflow?
- If not: are my concerns valid, or is the "open web browser, initiate authorization process and receive OAuth code via locally running HTTP server" just the way to go? Are there any alternatives that I overlooked?
UPDATE There is another option which I'm investigating now: I set up an "OAuth landing page" which is used as the callback URL. This website's only purpose is to display the OAuth code, which then can be copied to the Desktop application by the user. Not perfect, but looks more robust to me at the moment...