Using oAuth from within an app, without authorization screen?


#1

Hi!

We’re trying to add Lockitron API support right now, however I’m a bit confused with the oAuth flow. How do we do it in our Android app, without leaving the app? We’d like to provide our own username/password fields directly in our app, and if successfully logged in, we’d get automatic authorization. (I don’t see the point of asking the user to log in, from within our app, and then still having to do an extra step of “authorizing” our app with Lockitron… I mean, why else would the user type in their password into our app without wanting to authorize?)

Is there an endpoint we can send the username/password directly with AJAX, and get the auth token without going through your web interface?

BTW we have some big partners lined up with smartwach companies and other home automation companies; if we feature Lockitron in our app it would be a huge win for you guys! We definitely want to work with you to make the user experience the best it can be!

Thanks!

Tyler


#2

@odbol thanks for the note - the OAuth handshake requires that you show the Lockitron login and authentication page (sorry, we need to clean up these views for mobile and will be working on that soon). As such you’ll want to pop up a webview in your Android app.

The main reason for this (and why folks use OAuth in general) is because it prevents malicious apps from skimming user credentials from their own form. This was a massive issue with Twitter in the early days; a bunch of users had bad apps take control of their accounts before they moved entirely to OAuth. The authorization page is to inform the user exactly what control they’re handing over to an app with the token.

Again, the onus is on us to provide better looking mobile API views and we’ll be working on that.