Open aramperes opened 3 years ago
Quoting from @th0mk
We've currently made the authentication flow (logging in through a personalized link without having to redirect to a website) for Last.fm the default login flow and we're seeing good results. I would personally also prefer this flow for Wavy.fm, since it allows authorized calls, is easy to use, prevents people linking the wrong accounts and would be future-proof with ratelimiting etc.
As far as I know there are two ways of doing this.
The first one is how Last.fm does it and would also be our preferred flow:
1. Application requests an auth token and creates a link for a user to login 2. Users clicks on the link and allows the application access 3. The application can check if the user has allowed that specific token and if successful can get a session token for a user (only once) 4. Login success
Or:
1. Application has a static link for login 2. Users clicks on the link and allows the application access 3. The website shows a key that the user has to manually input into the application 4. Login success
Use-Case Description
Desktop auth flow is used for any non-browser-based applications, such as desktop media players and Discord bots. It may also work for mobile apps, although there are more preferable flows for them.
Semantics
This can be inspired from the Last.fm Desktop Flow.