Hi Square team!
First of all, terms I’m going to use:
Barber - Square customer, who use Square for making appointments, payments, etc.
MyService - the service I’m trying to make. Shortly - improved appointment service. Barber should be able to let MyService use limited amount of API calls using the OAuth PKCE flow.
AnotherService - another 3rd party service Barber use wIth OAuth PKCE.
If I want to make MyService work, I need a Barber to provide an access through the OAuth flow, using the oauth2/authorize link I provide. To make it flexible and safe for all of us I want to use PKCE flow. As far as I can see, there are couple of requirements:
- Barber must add Redirect URL in his Developer Account.
- The Reirect URL, entered by Barber, must match the
redirect_uriin theoauth2/authorizelink I provide to Barber.
Mostly Barbers don’t have their own websites and they are not software engineers. Let’s suppose they don’t understand what is Redirect URL at all. But they clearly understand the message (about the list of permissions they are going to provide to MyService) they see, when they tap the auth link, because it is understandable for anyone.
So, keeping all this stuff in mind, I have coulpe of questions:
- It turns out, to get an auth code, as a 3rd party service, I need to ask Barber to add MyService website URL, to the Redirect URL in their Developer Account. Or I need to use some tricky ways with internal browsers or something like that, to catch the redirect URL with auth code. It is wierd, isn’t it? Would you go to the Facebook dev account and would you add someone’s redirect URL to sign up to someone’s service with Facebook?
- What can we do if Barber use AnotherService and Barber has already entered AnotherService website as a Redirect URL?
This looks very unflexible and counterintuitive. Let’s just remember how Facebook/Twitter/any OAuth works:
User see the “Login with (something)” button.
User click it.
User enter login/password.
User see the list of data is going to be shared.
User press Allow.
Done.
Looks like it is supposed to be the same flow, but it isn’t. The requirement #2 I mentioned basically kills all flexibility and actually doesn’t make the proceess more safe. What do you think about this? Maybe I am wrong or missing something?
