Several things you’re missing the point of by a WIDE margin-
- ESI’s OAuth mechanics are primarily intended for web applications where the application id:secret arent accessible to the end-user. Desktop apps can be de-compiled and screwed with if someone’s in a malicious mood.
- This is just as valid, and doesnt impose any unnecessary costs to the developer (hosting fees and such) that they arent willing to pay, considering they CANT charge $ for the apps?
- Doesnt need to be “according to standard.” Not when other methods can put the dev’s game accounts at risk of someone “steals” the client id:secret and is maliciously using it.
- If you’re giving evemon write scope access, you’re doing it wrong. Pretty sure the guide for it also only says “read” scopes too.
- PYFA doesnt require this approach because they use an authentication proxy outside of the application itself to resolve it. They also provide the ability to add your own dev credentials if desired.
Beyond that, any real changes to how the OAuth methods are done on desktop apps will require changes to how EVE itself does OAuth. No one in their right mind would willingly expose their game account to malicious-use consequences if there’s ways to avoid it.