Several things you’re missing the point of by a WIDE margin-
ESI’s OAuth mechanics are primarily intended for web applications where the application id:secret arent accessible to the end-user. Desktop apps can be de-compiled and screwed with if someone’s in a malicious mood.
This is just as valid, and doesnt impose any unnecessary costs to the developer (hosting fees and such) that they arent willing to pay, considering they CANT charge $ for the apps?
Doesnt need to be “according to standard.” Not when other methods can put the dev’s game accounts at risk of someone “steals” the client id:secret and is maliciously using it.
If you’re giving evemon write scope access, you’re doing it wrong. Pretty sure the guide for it also only says “read” scopes too.
PYFA doesnt require this approach because they use an authentication proxy outside of the application itself to resolve it. They also provide the ability to add your own dev credentials if desired.
Beyond that, any real changes to how the OAuth methods are done on desktop apps will require changes to how EVE itself does OAuth. No one in their right mind would willingly expose their game account to malicious-use consequences if there’s ways to avoid it.
Version 4.0.1 has been released, with updated links in the original post.
This release, while still in beta, focuses on bug fixing and has quashed several issues including duplicate skill notifications, missing industry jobs, and some errors during character profile updates. In addition, the automatic updater is now active and will notify users running 4.0.1 or later when a new release is available.
My attributes are counted as if I have 2x my current implants. My base perception is 24 and I have a +4 plugged in so it should be 28 for perception, but its being displayed at 32 so its 2x +4. All my attributes are showing like this, so my skill plans time are skewed. http://prntscr.com/jkbbjs
Apparently you did not understand my main points. But I am happy to summarize them again for you: The current approach is not very user friendly (as the many questions on this thread can attest) and unnecessary (as examples like pyfa show).
Technically true, but I am pretty sure you can build your app in a way that the client secret is sufficiently protected.
Incorrect. Not all approached require a web helper part.
see 2
Again you are incorrect. The guide actually asked the user to add ALL scopes starting with ESI. That includes the write scopes.
yes, using an authentication proxy or web helper would be a better solution, as the pyfa example shows.
I fail to understand what you are trying to say with your last two sentences. Maybe its just me, or those sentences make no sense. Can you re-phrase please?
The attributes endpoint comes with the implant values already counted so guessing it’s just accidentally adding on the implants again. Maybe it was different for the xml api
By CCP’s own admission, it is not yet possible to have SSO and this OAuth stuff without either a dev version or the pyfa approach of a web proxy for the client secrets for a standalone application.
Would you please produce a screenshot where it shows Write permissions? I cannot see it in my third party application request list for EVEMon. If there is write access within read requests and CCP does not show them, then CCP screwed up. Speaking of which, when I expand the read requests on the TPA page, all categories are blank. Aren’t there supposed to be explanations of what each request does when you expand them?
Out of curiosity: Which scopes do you believe are not necessary in an app like EVEMon?
As for 5: No, it would not. Or are you going to pay the dev real money to host that server? Relying on that only means the app will shut down as soon as the dev cannot sustain the cost for that server any more or yet another new dev has to take over because the old dev cannot invest time into the app any longer and the new dev cannot or does not want to invest money for a server.
I’ve tried several different developer apps on several different paid (with irl money) accounts yet everytime i load evemon I get a bunch of ‘failed to login to eve sso’.
I’ve gone through the guide about 20 times, everything is correct. I thought it might have been my networking but even with both piholes disabled it’s not working. No characters show wallet update, several stay (cached) for hours. The account that’s setup with the developer app updates skills (but not balance).
Is anyone else running into this or is it just me? I have no other firewalls or AV stuff setup that might block it.
Apparently CCP has not yet implemented PKCA which would allow a secure implementation of Oauth 2 for a desktop app without needing a web helper app.
Here is a screenshot from the current guide on how to setup your app for evemon. As you can see it asks for adding all scopes starting with esi. that includes all scopes with write access. (one is even shown in the example: esi-mail.organize, which allows an app to delete mail).
Only the scopes that are really needed by the app should be requested as its good practice for all Oauth apps. So I would only include read only scopes for the character, I would exclude corp related scopes and all scopes with write access. also some scopes will not be used and should be excluded, e.g. esi-characterstats-read. Its a long list though and I doubt the ordinary end user will make the effort to pick them out one by one.
We have a lot of people that are running web servers with Eve Online apps. If Peter is not already running his own web server, I am sure you could find someone to host the needed web helper app.
I still do not see write access. If you can read and write in a read access scope, that’s a CCP screw up. Funny, indeed: On the Dev App creation page you have things listed like esi-fleets.write_fleet.v1 or esi-ui.write_waypoint.v1, which I activated as per instructions, but on the third party application page the only scopes listed are exclusively read_xyz. So … Good job, CCP?
What can EVEMon do with write_xyz things that are not listed on the third party page listing all the scopes? Thinking about it, the requested scopes in the dev version are just there so that people don’t have to sift through all the read and write scopes when you create the dev version, but the program itself only asks for read scopes as the third party application page suggests.
OAuth2 does not need a webserver to handle the requests. If you use an embedded browser you can monitor the URL it is navigating to until (just before the final redirect the token shows up (and if it happens just close the browser). This is handy for apps to get rid of external webbrowsers and firewall issues.
Besides that, setting up one EVEMon app makes scopes and registration easier. As long as you do not request more that is setup you can very nicely combine scopes tailored for each EVEMon tab together.
You do not need a web helper app, when using a embedded web browser tracking the url it navigates to is enough. The last url (when it tried to do a redirect to contact the web helper app you mentioned) it will already contain the token you need. A redirect to localhost is fine. Just close the embedded browser when you see the token appear in the url.
+1 to this, got something similar. My Character Sheet updated when adding the character but not since. Docked in Jita. Skill queues seem to update erratically too, dunno if that’s on the same thing.
I seem to be having problems with the program thinking I have skills trained that I don’t actually have trained, which means my training times in the skill queue are either going into the negatives, or showing up as (none).
EDIT: I checked the settings.xml file, and the skills in question are listed as being level 0, so I think it might be an issue with EVEMon parsing the file properly.
for fixing Indy jobs.