OAuth: Specify a special redirect_uri for manual token copy&paste

[palant]

My application can be downloaded and run from the file system as a regular website. In this scenario, it doesn't have a redirect_uri which could be used for OAuth - there is no trusted domain here. With Dropbox and Google Drive a special redirect URI (https://www.dropbox.com/1/oauth2/display_token and urn:ietf:wg:oauth:2.0:oob respectively) can be used which will simply show the token and allow the user to paste it into the app. With remoteStorage, no such possibility exists. Could it be added?

[raucao]

Of course you could add it to the spec. However, for your app to work reliably across providers, it would have to be a required feature.

For that to find consensus, I think the first question would be why you cannot open some kind of web view with a trusted domain of yours, like a lot of native apps do for their OAuth dance.

[palant]

For that to find consensus, I think the first question would be why you cannot open some kind of web view with a trusted domain of yours, like a lot of native apps do for their OAuth dance.

I already do that, it adds an unnecessary point of failure however. If I fail to secure my server, somebody could modify this website and make it log all tokens it receives. Is slightly less critical than with Dropbox & Co. because one would have to guess which account this token belongs to. Still unnecessary for a local application, and especially for an application that is local for the very reason so you don't need to trust any web servers.