Gotcha. Another option is if this is a local app specific to a single character (or multiple characters belonging to a single human) you could just have them create their own dev application and plug in the client and secret keys.
Lol wut? You want me to tell the user to go dev their own app and get a secret key? Lol. What’s the point then?
No, I said go create a dev app for themselves and plug in the client and secret keys into your application. I.e. this way each “instance” of your application is specific to each user.
That’s not going to work and be practical is it.
I wasn’t asked to do that for EveMon on Windows was I yet I have to SSO my characters in.
Do I need a secret key if I wanted to build something like that?
Maybe it’s easier if you just file a support ticket with CCP?
It’s a solid workaround if you don’t want to pay and still develop your application.
No because they paid and registered a single dev app for the project. Of which of course the dev app is not specific to a specific OS or something. I.e. if you were to get EveMon working on Linux, it would work just the same from an SSO perspective.
You need a dev app if you want to do anything with non-public character information. I.e. anything that requires them to SSO.
What is the point of SSO if I have to also get a key, the user of the applicaiton is responsible for their keys and application usage.
I am not responsible for the users of the application. The control stays with them.
To be clear, EVE ESI follows an OAUth2 flow, of which the dev application’s keys are used for this. See SSO | esi-docs. There are no API keys or anything like the XML API of late.
The user uses your application but is usually never aware of the tokens used to access their data. All they do is go an SSO flow much like if you were to login to the EVE mobile app, or that you used to log into the forums. I.e. they only ever really interact with your application.
From Evemon license, not even they want to be responsible for the users. You will find every piece of software does this.
I as a developer am NOT responsible for the users use of the application.
So we have to ship the secret key with every release of our application? You have to be bonkers if that is the case.
Doesn’t that risk capture and replay? What’s to stop one application impersonating another dev key?
Ideally you wouldn’t no, for the reasons you mentioned. How to handle this depends on what type of application you have. Given it sounds like you’re making a desktop app checkout OAuth 2.0 for Mobile or Desktop Applications | esi-docs for how to handle that.
Thanks, however, this “dev key” still implies liability and responsibility for the users of the application, also some people prefer to build from source themselves then run, especially on Linux and BSD platforms where they would also sign their known reviewed build of the app, including their own modifications.
This relates to:
Ideally your application would be designed in such a way where those keys are not hard-coded in the application. I.e. provided via ENV vars. This way, other people could plugin in their own keys in order to test changes, or run their own fork of it.
So basically back to the API key method again. We just went full circle, just with more headaches.
It’s also possible to proxy manipulate an existing binary built application on the traffic, also it’s possible to edit the binary parameters in memory or in the release binary executable file.
There’s no escaping possible manipulation and abusing this dev key.
Just want to touch on your point that about legal agreement of playing eve vs using ESI.
The gap between the twos ability to hurt the eve server, if people are doing bad stuff, is huge.
A single client made by CCP them self vs endpoints that goes directly to the servers, isn’t really a comparison. The reason you can use the public endpoints scot free, is that they’re cached by the cloud and not CCP, making the risk and cost much lower.
I think you’re heavily overthinking this. I have developed jEveAssets since 2009, a desktop application, I have never had any problems with CCP regarding the ESI license. All I do is abide by all the rules of using ESI, As long as you do too, you will be fine. I also thing you underestimating CCPs willingness to allow you to explain yourself. No system is foolproof ofc. But, the ESI license turned out to not really be a bad thing…
A license and terms is one thing, having to manage a developer key is another.
The responsibility is on the user for usage. The key should be managed by the user. It should be a user key, and only a user key.
The user and developer share the responsibility. It’s the developers responsibility that their software doesn’t break any rules, It’s the users responsibility to use the software as intended and not modify it to break the rules. It’s feels really simple to me… Like if one person is misusing your software ofc. it won’t be on you, that just, you know, makes sense…
EveMon state this clearly, they do not take liability for the application’s use. Having to use a developer key ESI implies liability for use. It is a contradiction in terms.
They’re still have liability to CCP, the agreement in the screenshot is with the user, not CCP. The agreement with CCP is the ESI license, they agreed to that.