OAuth for the iPhone: Pownce.app

Pownce OAuth flow Step 1

If you’re one of the lucky folks that’s been able to upgrade your iPhone (and activate it) to the 2.0 firmware, I encourage you to give the Pownce application a try, if only to see a real world example of OAuth in action (that link will open in iTunes).

Here’s how it goes in pictures:

Pownce OAuth flow Step 1 Pownce OAuth flow Step 2 Pownce OAuth flow Step 3 Pownce OAuth flow Step 4/Final

And the actual flow:

  1. Launch the Pownce app. You’ll be prompted to login in at Pownce.com
  2. Pownce.app launches Pownce.com via an initial OAuth request; here you signin to your Pownce account using your username or password (if Pownce supported OpenID, you could signin with OpenID as well).
  3. Once successfully signed in to your account, you can grant the Pownce iPhone app permission to access your account.
  4. Once you click Okay, which is basically a pownce:// protocol link that will fire up Pownce.app to complete the transaction.

There are three important aspects of this:

  • First, you’re not entering your username and password into the Pownce application — you’re only entering it into the website. This might not seem like a great distinction, but if a non-Pownce developed iPhone application wanted to access or post to your Pownce account, this flow could be reused, and you’d never need to expose your credentials to that third party app;
  • Second, it creates room for the adoption of OpenID — or something other single sign-on solution — to be implemented at Pownce later on, since OAuth doesn’t specify how you do authentication.
  • Third, if the iPhone is lost or stolen, the owner of the phone could visit Pownce.com and disable access to their account via the Pownce iPhone app — and not need to change their password and disrupt all the other services or applications that might already have been granted access.

Personally, as I’ve fired up an increasing number of native apps on the iPhone 2.0 software, I’ve been increasingly frustrated and annoyed at how many of them want my username and password, and how few of them support this kind of delegated authorization flow.

If you consider that there are already a few Twitter-based applications available, and none of them support OAuth (Twitter still has yet to implement OAuth), in order to even test these apps out, you have to give away your credentials over and over again. Worse, you can guarantee that a third-party will destroy your credentials once you’ve handed them over, even if you uninstall the application.

These are a few reasons to consider OAuth for iPhone application development and authorization. Better yet, Jon Crosby’s Objective-C library can even give you a head start!

Hat tip to Colin Devroe for the suggestion. Cross-posted to the OAuth blog.

4 Comments

  1. Todd said
    at 11am on Jul 11th # |

    Pownce asks Pownce if its OK to access itself?

  2. at 12pm on Jul 11th # |

    This is super cool to see in action, and I’m proud to say I was watching over Mike’s shoulders at the OAuth Summit as he put the finishing touches on the OAuth integration. ;) Go Pownce!

  3. at 12pm on Jul 11th # |

    Flickr uploaders to the same. The point is, you don’t know who’s making the request, so you treat them all the same.

    Still, I take your point. :)

  4. Chris Thomson said
    at 11am on Jul 25th # |

    It’s interesting to see OAuth in action in an iPhone app. The only thing I feel could’ve been done better is an integrated browser in the Pownce app, similar to the Twitterrific for iPhone app (both for opened urls and the OAuth authorization), but it’s still a seamless process.

    P.S. – Chris, when I tried to send my comment using my Clickpass account, it wouldn’t allow me to because it claimed the OpenID return to URL wasn’t in the trust root. Trust root was http://factoryjoe.com/blog/ and the return to URL was http://factoryjoe.com/blog?lots&of&params&here :)

One Trackback

  1. [...] Pownce iPhone app to a group of folks at the OAuth Summit. Following the summit, Chris Messina, Simon Willison, and others pointed to Pownce as an example of “the right way” to use [...]

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*