Cerebral : Every user needs to be a registered developer?

i was assessing Cerebral as a replacement for EveMon. The fact it is a stand alone app rather than being web hosted is a big plus for security of my character information in my mind.

However to use it, every user has to be a registered developer. Surely this is not what CCP intends. If thousands of users require developer credentials just to use an app then I imagine it would be counter productive for CCPs reasons for developer registration.

I am unsure if the apps developer could have used a different method for storing ESI tokens locally or if the fault lies with the way CCP designed the system. But if possible could this be remedied?

1 Like

The new ESI API requires account identification using CCP web site. Ideally you have to do it once per character and then app will store refresh token it can use to fetch all the required data. If this is not the case then there is something wrong with the app architecture.

can you give an example of a stand alone app that does this?

I am pretty sure both JeveAssets and Pyfa use the Eve SSO and the ESI. It is possible.

It seems though that implementing this into a stand alone app isn’t trivial, and perhaps some of the motivation to use the developer account was for increased security:

This is the current state to protect users and developers. CCP is working on JWT as a solution, and have an implementation being tested.

There is no good SSO solutions for Desktop software ATM.
It’s being worked on by the SSO team (Not to be confused with the ESI team), but, they’re very busy folks.

The options are:

  • Ship with the secret (can be decompiled and used for evil)
  • Let each users make their own dev app (Alphas can not do this, you need to have payed money to CCP at some point in the past, to create an dev app)
  • Use implicit flow (You need to re-auth all of your characters every 20 minutes)
  • Use some kind of middle proxy to keep the dev secret safe (Open up the proxy to attacks, instead)

…so, yes, “Let each users make their own dev app” is the safest option ATM. It’s far from optimal, but, it’s being worked on.

That team needs to work on this stuff faster.

I think everyone that works with Desktop software and SSO can agree with that. But, we’re all developers ourself, so, we know stuff can take time to do. Hence we accept we have to do one of those options for a limited time, but, focus on that it will be fixed eventually.

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.