You are viewing a single comment's thread from:
RE: [security] Misuse of Steemconnect login (shouldn't ask active key for every login)
@steem-ua is such a good example. https://steem-ua.com/ has a function to show your UA score that requires login with your posting key.
This is the login scope on the steemconnect's oauth implementation, which you cannot do anything (like broadcasting transactions) with the access token you have with that flow as an application developer.
Overall, I understand the frustration, though. Steemconnect behaves like a SSO solution there, if you have already logged in with Steemconnect and already set posting authorities, it doesn't actually ask active key. (Instead just sends the access token to the app, and don't bother the user asking the keys, again)
Probably, we will have a better implementation in the upcoming version of Steemconnect.
Thank you so much for your reply. Yes I understand the logic, but as you said, you know what's my main point. steem-ua.com is an example for the workaround. If you log in steem-ua.com with a posting key, then you can log in dpoll and use it! for instance. This means that users should be able to log in dpoll with posting key (if they already authorized the posting right, of course). This is the main point.
In any case, there should be an easy way for apps to allow users to log in with posting key afterward when the session is expired, or with new browsers or whatever. Hope SC3 will resolve this problem. Thanks again!