Closed blitzmann closed 2 years ago
blitzmann
commented
2 years ago Because CCP can't keep their developer portal content up, here's a cached version of the blog post: https://web.archive.org/web/20211009142752/https://developers.eveonline.com/blog/article/sso-endpoint-deprecations-2
blitzmann
commented
2 years ago A note on old refresh tokens:
Since CCP doesn't allow multiple callback URLs, and we're using a new callback URL for PKCE, I'm intending to use a new pyfa OAuth application with different client ID and secret.
Because of this, the current refresh tokens will not work, since they are associated with the old OAuth client details. There is technically the "one-way" upgrade that we can do with refresh tokens to convert them from v1 to v12, however they are still tied to the old client ID and there's no way to transfer them (for good reason).
That being said, folks will start getting this message pop up after this update goes live in pyfa whenever doing something with ESI. I think it's succinct enough, but we'll want to mention it in release notes.
https://developers.eveonline.com/blog/article/sso-endpoint-deprecations-2
pyfa needs to be updated to use v2 of the SSO, otherwise we risk having functioning SSO after October. I'm planning on tackling this in the next week. This should involve auto-updating refresh tokens if possible and making sure that we handle saving new refresh tokens (they are no longer static). One thing I'm not sure of is what happens when the 2-week grace period of upgrading refresh tokens comes and goes, and folks that haven't started pyfa in three weeks start it up. We'll need to make sure those cases are handled.
One thing that we should consider is incorporating PKCE. This is purposely designed for native / desktop applications such as pyfa, but it wasn't an available option when SSO first launched. Because of this, we currently have pyfa.io as a middle-man authentication proxy.
We may very well be able to accomplish this now with some static web page, hosted on something like GitHub pages. Have the pyfa SSO app redirect to this page, and that page will then post to localhost (this can give us the flexibility to continue using both "Local Server" and "Manual" Login Authentication Mode, as well as having the local server continue to use random ports which may be beneficial).
If this is not possible, I'm thinking we just scrap the manual method altogether. Looking at the data we have in pyfa.io, between 03/19 and 10/12, there have only been 385 manual login requests, out of a total of 52,227 (0.7%).