Sunday, March 3, 2013
Temporary scope access in OAuth 2.0 - Does it still exist?
So I was playing around with Asana this morning (still haven't gotten a great todo list system working so if you have recommendations there feel free to share) and noticed that they recently released an Android app. I figure that having a mobile app on my phone might make it more useful to me so I go and download it.
On first run I go to log in with my work account and it pops up an OAuth confirmation page. All good here so far: it asks for my e-mail address, basic profile information, and ability to manage my contacts. Wait, hold up. I don't like the idea of handing off my contact information (work has gotten a bit paranoid with contact info anyway since we had someone sign up with LinkedIn on a work e-mail and spam the entire contact list). So I hit no thanks, and the application hangs. Swell. (I'll point out that the application itself doesn't request access to the device's contact list).
So I decided to research why it wanted this contact list information. I can see it being useful once to populate a team contact list to get started but on an ongoing basis it seems like overkill. Long story short, Asana seems to be using the OpenID + OAuth hybrid method to handle authentication and resource authorization in a single call. While I can agree that this is better for the user experience I think demanding access to the contact list permanently during sign-up and login is a huge privacy concern.
Now, for those that don't know technically all OAuth access tokens are considered to be short lived. They have a limited time availability and after that they're done. When that happens, an application has the ability to request a new access token using a separate and long lived "refresh token". So I figure that's the solution there: Asana should only ask for refresh tokens for the main items they need for authentication and then just ask for the short lived access tokens whenever the user wants to do something like invite people to the workspace. The problem is, I don't actually see a way for the user to specify that anywhere. The reason for this is two-fold:
First, because all the requests are tied to a single refresh token, it must handle all the originally requested scopes. There is currently no mechanism which allows an application to separate out the scopes and tokens unless they make to explicit calls. This would prompt the user twice and makes for a poor experience.
Second, a user giving permission to various scopes don't get the ability to choose if they want that access to be short or long lived. They get an indication that the access may be long lived (I believe the keywords during the confirmation are "This application will be able to perform these actions when you are not logged in" or something similar) but it isn't the most clear notice and it's non-optional. A user's only choice is to either accept it, nor deny the access and not be able to use the application.
In the end, I decided to revoke Asana's rights on my account which I had been using on the desktop. I was only really experimenting with it and while it seems useful at this point my higher priority is on data security. Hopefully in the future, I won't have to make a choice between the two for Asana or any application.
If you agree with me that this sort of thing can be a problem, I'd love to hear from you in the comments.
Saturday, April 7, 2012
Papermill Review
This week, after being goaded by a linkbait-esque article on The Verge about how Android users aren't willing to buy premium apps, I decided to put my money where my mouth is to support my ecosystem of choice. I grabbed Papermill, the app in question, off Google Play for a few bucks and spent a far more than ordinate about of time fiddling with PayPal to set up an Instapaper suscription to go with it. For those that don't know, Papermill is a client for the Instapaper service, which lets you add full length articles to a queue to download and read at your leisure; indispensable when you run into as many articles a day as I do. In this small *cough* review I explain my initial impressions, go over some weaknesses of the app, and then explain why I feel the app is still worth it overall.
After downloading the app, logging in, and letting it sync (it displays a bunch of "Did you know that...?" style trivia as it does which is a huge plus for me) this is what I was shown.
When using the "Share" intent to move content into Papermill (which adds it to your Instapaper queue as well), it works fine in the browser, or anywhere the shared text is a link to the content and that's all. Unfortunately, the first time I attempted to use it was on a tweet with the intention to queue the linked article, and that didn't end up working. I realize that this is fine, and that other Instapaper clients work the same way, but a) a message saying it didn't work would be nice and b) the ability to parse out the links of a tweet and add them to the queue would be a huge differentiator!
Overall, I still think that this is a good application. It serves a good purpose, does so cleanly, and they are upfront about their goals: they want to design the best application they can for Instapaper on Android, and be damned about the profits of the ad-supported route. You have to admire that! Ryan Bateman admitted that he went into this eyes wide open in his overview of the first few weeks of sales, and he wasn't off the mark when he assumed that people weren't ready for that higher price. While I think there is still a group of people that will only ever pick up the free or 99 cent apps (they are on iOS too people, so don't think Android is the only market with cheapos!), I don't think that is the only reason that Papermill isn't selling. I think it may have launched early, missing some of the polish and UX flows that people are familiar with on Android. However, given the goal of the team (remember, they weren't expecting to make money off it and they still built it) I have no reason to believe that it won't reach that level of quality that they are striving for. And if they keep up the rate of updates, it isn't going to take them long.
After downloading the app, logging in, and letting it sync (it displays a bunch of "Did you know that...?" style trivia as it does which is a huge plus for me) this is what I was shown.
The things that struck me immediately were the logo and the halo design. Ryan Bateman and Matt Legaspi certainly took the time to study the design guide and come up with something clean and slick. Here are some more screenshots of articles being read (you can double tap to make the chrome go away, and they get points for the simple prompt which explains that to you).
I had no issues at all reading the font and I think they picked a good one to start off with, although I'll be the first to admit that I don't know a thing about typography. To someone who cares, this font could be horrid. I doubt that's the case though. The articles I read were clear and had images downloaded with them. Images! For anyone used to reading articles on the subway, you know how much of a rarity that can be. I was feeling pretty confident in my purchase, $7 in all up to this point, until I attempted to shortcut navigation to the next article.
Nothing. No new article, no little blue haze to show me I was at an edge, nada. You see, I've gotten used to using Google Reader to read syndicated articles on my commute to and from work and if I'm just not interested in an article I just swipe! and I'm presented with a new one. That's been my experience with most reading apps, so I was shocked when this one didn't follow suit. I later discovered that you can swipe to move between the main sections of the app (Unread, liked, archived) but not being able to do it between articles is an oversight. You're going to be going from one article to the next far more frequently than from one section to the next. I'd even be satisfied with going to the next article by hitting the archive button, but that brings you out to the main list again as well.
I also was a little held back when after a full work day's worth of queuing articles, they weren't ready on my phone for me to read on the subway home. Since the tagline on the app's page mentioned using the best of Android's platform features I was doubly shocked to find that there was no background sync. To be fair, there is a daily sync feature where it will pull down all your articles once a day but I'm not sure that will cut it for any but the most relaxed readers. Perhaps I am the odd one out here, and everyone else prefers that the Instapaper queue is delivered once a day like a personalized newspaper. If that's the case, let me know! But I think an hourly background sync would be reasonable, and you can set it to do it on wifi only if the user is paranoid about data caps.
There are a couple of other minor issues as well, some are bugs and some are things which just aren't as "nice" as they could be. Offline archiving isn't working at the moment, which is most certainly a bug. It shows up on the device as being archived until you get a data connection again and sync, at which point they all jump back into the unread pile. The menu button on tactile phones doesn't bring up the menu either, and it's not that hard to make it do so. It's a nice to have for people who have been used to using the menu button for so long.
The use of intents could be a little better as well, in both directions. When sharing a block of text out it works marvelously, but it a little attribution link would be a kindness as well.
 |
| The selected text is shared with no problem, but a link to the original source would be decent and proper. |
When using the "Share" intent to move content into Papermill (which adds it to your Instapaper queue as well), it works fine in the browser, or anywhere the shared text is a link to the content and that's all. Unfortunately, the first time I attempted to use it was on a tweet with the intention to queue the linked article, and that didn't end up working. I realize that this is fine, and that other Instapaper clients work the same way, but a) a message saying it didn't work would be nice and b) the ability to parse out the links of a tweet and add them to the queue would be a huge differentiator!
 |
| Given the message, you'd think this works. Sadly, it doesn't (yet). |
Overall, I still think that this is a good application. It serves a good purpose, does so cleanly, and they are upfront about their goals: they want to design the best application they can for Instapaper on Android, and be damned about the profits of the ad-supported route. You have to admire that! Ryan Bateman admitted that he went into this eyes wide open in his overview of the first few weeks of sales, and he wasn't off the mark when he assumed that people weren't ready for that higher price. While I think there is still a group of people that will only ever pick up the free or 99 cent apps (they are on iOS too people, so don't think Android is the only market with cheapos!), I don't think that is the only reason that Papermill isn't selling. I think it may have launched early, missing some of the polish and UX flows that people are familiar with on Android. However, given the goal of the team (remember, they weren't expecting to make money off it and they still built it) I have no reason to believe that it won't reach that level of quality that they are striving for. And if they keep up the rate of updates, it isn't going to take them long.
I think the picture they chose for the about page says it all. It's a high quality shot, properly focused on Android, and it showcases the fun nature of the platform and its users. The app might not be "there yet", but the team behind it is. For me, that's all that matters. Supporting passionate Android developers is worth the cost of a latte. I recommend doing the same.
Friday, February 17, 2012
30 Day Sharing Restriction Challenge Summary
Because it was a AQ (I'd like to put FAQ, but I'd be lying) here is a list of the posts I shared during the challenge:
- Facebook - post describing the challenge
- Twitter - congratulating/cheering on Jason Kaplan and Laura Pellow on their one year anniversary
- Twitter - replying to Jeff Cho explaining why I had been so quiet lately
- Twitter - post directed at those fear-mongering regarding Google's privacy policy update, warning that Microsoft had been doing it for awhile
- Google+ - initial impressions/findings of the challenge, and an apology for missing out on a hangout
- Google+ - shared the webpage for the Humble Bundle for Android, saying how without the ability to install apps from outside the app store iPhone users would never be able partake in this.
- Twitter - Message to the Trello team asking about a feature to be added (turns out they already planned on adding it)
This direct tweet made me question the category of tweets in different contexts. Unlike Google+ and Facebook, there is no dedicated channel for responses and even single target messages like the one to Trello act differently than a true share. So I polled Twitter about it, intending to delete the Trello tweet depending on the answer.
By that description, I guess I kinda broke the rules of the challenge; I ended up having two tweets that day. However, in the spirit of the challenge, only the poll went out to everyone so I consider it okay. From this point on though, reply tweets were deemed acceptable..@shawndrape Depends on the context, but I'd call it a comment.Tweet (SYN), comment (SYN-ACK), conversation (ACK). #TwitterTCP
— Jeff Cho (@gojeffcho) February 2, 2012 - Facebook - Post ranting about issues while turning on Timeline, which were eventually resolved. (private post)
- Google+ - A funny picture I'd found of a dog running through the snow. Also got to play with the "add text"/meme generator feature.
- Facebook - Shared that I formally quit Haidong Gumdo due to constraints on my time table. (private post)
- Twitter - post (fake) ranting about how our dog's fur ends up on everything
- Google+ - Shared a small pic of our dog cuddling one of his toys, wishing my circles a good weekend (private post)
- Google+ - minor venting post about setting up Glassfish server, and wondering if it is a good idea (private post; filtered to target only my technology and development contacts)
- (The lack of post on Valentines Day stands out to me for some reason)
- Google+ - post about Life is Crime, a mobile social game based around thug life at local buildings
Tuesday, January 10, 2012
Blogging on the go
I wrote a blog yesterday with the Tumblr app and aside from the fact that it didn't share to Twitter I was very impressed with the experience.
So now I try with Blogger.
Monday, January 9, 2012
Targeted Sharing: Facebook vs. Google+
A friend of mine over on Twitter, @gojeffcho, has been auditing Google+ for the second time and asked me what I thought of it. My reply is below:
First, some background on the two mechanics and how I use them. In Facebook, there are what they call smart lists. They can be created around your networks (university or city), or around who you talk and interact with most frequently. They came out after the Google+ service and were touted as a better way for most people to organize their friends (the implication being that no one wanted to put people into circles). However, the lists in Facebook I have created are as follows: Close Friends, Family, Acquaintances, Alumni, Kingstonians (used mostly for when I am actually heading to Kingston), and then everyone else I assume is in one massive list called friends.
In Google+, I have two types of circles. I have circles which denote how close people are to me, for the purposes of restricting access to personal information. These are the circles which most closely relate to Facebook: Family, friends, acquaintances, co-workers. Then I have circles based on interest, which Facebook doesn't really have a mechanism for: Tech/Developers, Torontonians, Gamers, etc. These circles are the ones I use to filter myself for the benefit of my followers.
The fact that Google+'s circles allow me to target my posts not only by familiarity but also by interest speaks to the flexibility that I mentioned above. It means that I can post my tech questions and opinions to that group without boring my family, and I can post hilarious pictures of the dog to the family without boring, well, everyone else on the planet. I have no issues with other people seeing the content, but I prefer to focus content towards them that they will appreciate. I also make sure to keep enough content public so that people I haven't filtered yet (or I haven't followed back yet) get a taste for my interests.
I anticipate two counter-points to my above arguments. One, that Facebook lists allow me to target based on content just as well as Google+ does. While this is true, there are two things that Google+ has over Facebook in this regard that make Google+ a better system for it. Namely, the ability to modify circles for any person any time their name appears in a post or on a comment and the ability to search through the system based on interest. The second counter-point is that Google+ circles don't do a very good job of filtering content since a follower can't choose the content they want (onus is on the creator).
To the second point, I must concede. It's not a perfect system by any stretch. However, I feel based on my current usage that it is both enough for my current needs and has the potential to expand further in that service. I don't feel that Facebook is even interested in raising the bar of content filtering given their preference that everyone share everything as openly as possible.
Those are my main reasons for preferring Google+'s method of targeted sharing, and that doesn't even get into my tertiary reason for using the system: being able to send e-mails with comments and pictures from Google+ to those who aren't using the system. If you have any comments or critiques, I look forward to hearing them.
@gojeffcho My reason for being attached to G+ is I like targeted sharing, and I like Google's philosophy towards passive sharing in search.However, as Jeff pointed out, Facebook also has targeted sharing so I felt the need to classify why I prefer one system of sharing over the other. I believe that circles on Google+ better allow me to control who can and should see my content than Facebook, and that Google+ circles are more versatile and flexible as a mechanic. I'll expand more below.
— Shawn Drape (@shawndrape) January 10, 2012
First, some background on the two mechanics and how I use them. In Facebook, there are what they call smart lists. They can be created around your networks (university or city), or around who you talk and interact with most frequently. They came out after the Google+ service and were touted as a better way for most people to organize their friends (the implication being that no one wanted to put people into circles). However, the lists in Facebook I have created are as follows: Close Friends, Family, Acquaintances, Alumni, Kingstonians (used mostly for when I am actually heading to Kingston), and then everyone else I assume is in one massive list called friends.
In Google+, I have two types of circles. I have circles which denote how close people are to me, for the purposes of restricting access to personal information. These are the circles which most closely relate to Facebook: Family, friends, acquaintances, co-workers. Then I have circles based on interest, which Facebook doesn't really have a mechanism for: Tech/Developers, Torontonians, Gamers, etc. These circles are the ones I use to filter myself for the benefit of my followers.
The fact that Google+'s circles allow me to target my posts not only by familiarity but also by interest speaks to the flexibility that I mentioned above. It means that I can post my tech questions and opinions to that group without boring my family, and I can post hilarious pictures of the dog to the family without boring, well, everyone else on the planet. I have no issues with other people seeing the content, but I prefer to focus content towards them that they will appreciate. I also make sure to keep enough content public so that people I haven't filtered yet (or I haven't followed back yet) get a taste for my interests.
I anticipate two counter-points to my above arguments. One, that Facebook lists allow me to target based on content just as well as Google+ does. While this is true, there are two things that Google+ has over Facebook in this regard that make Google+ a better system for it. Namely, the ability to modify circles for any person any time their name appears in a post or on a comment and the ability to search through the system based on interest. The second counter-point is that Google+ circles don't do a very good job of filtering content since a follower can't choose the content they want (onus is on the creator).
To the second point, I must concede. It's not a perfect system by any stretch. However, I feel based on my current usage that it is both enough for my current needs and has the potential to expand further in that service. I don't feel that Facebook is even interested in raising the bar of content filtering given their preference that everyone share everything as openly as possible.
Those are my main reasons for preferring Google+'s method of targeted sharing, and that doesn't even get into my tertiary reason for using the system: being able to send e-mails with comments and pictures from Google+ to those who aren't using the system. If you have any comments or critiques, I look forward to hearing them.
A better kind of nutrition point system
Over the past two months I’ve been brainstorming ideas for startups. I’m increasingly anxious to get some of my work out into the public eye so I can really get a feel for what caliber of programmer I am.
One of those ideas is loosely based on Fitocracy, an application which uses game mechanics to encourage efficient workouts. It’s a winner because while few people know which exercises are better than others anyone can look at a points total and see how the exercises they chose measure up against someone else’s. I figured if someone can make it that easy to see which exercises you can do then there is a niche for someone to come along and do the same thing to show which food is better than others.
The goal of this system would be healthy eating as opposed to weight loss and would assign higher point values for healthier foods. The methodology of diet plans which use points like a cost is flawed. Why? People don’t like to spend things but we love to collect them: especially points!
The unique position such a service would be in would allow calculations based on what else you have eaten that day, week and month as well. Been having too much sugar from juice, for example? We can give you point penalties based on the combination of food you’ve been eating. Have you eaten a lot of really good food recently? We can reward you with badges and recognition from your friends.
Oh yeah, did I forget to mention friends? That’s another thing that traditional nutrition systems don’t take into consideration. Keeping your friends in the loop to the general status of your eating habits can let them congratulate you, or serve as a warning ;)
Obviously there is a lot to flesh out and a lit of work to be done getting proper information on food. I’m still amazed at how much work the Fitocracy team goes through to get the numbers crunched for any given exercise. But I’d still love to do it and I think it’s about time I stopped wishing.
One of those ideas is loosely based on Fitocracy, an application which uses game mechanics to encourage efficient workouts. It’s a winner because while few people know which exercises are better than others anyone can look at a points total and see how the exercises they chose measure up against someone else’s. I figured if someone can make it that easy to see which exercises you can do then there is a niche for someone to come along and do the same thing to show which food is better than others.
The goal of this system would be healthy eating as opposed to weight loss and would assign higher point values for healthier foods. The methodology of diet plans which use points like a cost is flawed. Why? People don’t like to spend things but we love to collect them: especially points!
The unique position such a service would be in would allow calculations based on what else you have eaten that day, week and month as well. Been having too much sugar from juice, for example? We can give you point penalties based on the combination of food you’ve been eating. Have you eaten a lot of really good food recently? We can reward you with badges and recognition from your friends.
Oh yeah, did I forget to mention friends? That’s another thing that traditional nutrition systems don’t take into consideration. Keeping your friends in the loop to the general status of your eating habits can let them congratulate you, or serve as a warning ;)
Obviously there is a lot to flesh out and a lit of work to be done getting proper information on food. I’m still amazed at how much work the Fitocracy team goes through to get the numbers crunched for any given exercise. But I’d still love to do it and I think it’s about time I stopped wishing.
Saturday, January 7, 2012
A re-introduction
I spent some time fiddling around with a personal blog on tumblr (shawndrape.tumblr.com) but due to conflicts with another blog (which I may move over here as well) being labeled as the primary blog on their system it created come conflicts and issues that I just didn't want to deal with.
To be completely honest, I had forgotten about this blog that I started waaaay back when. I don't have many thoughts here, but I think I can put up a couple more pretty quickly within the next few weeks. I have been having many long discussions with @gojeffcho and @jasonpkaplan on Twitter about the quality of recent Zelda games (namely, Skyward Sword) compared to the older ones. As a result, I'll have material for a review/opinion piece on Skyward Sword AND Ocarina of Time to share before too long.
Otherwise, I'm just going to see where this goes. ;D
To be completely honest, I had forgotten about this blog that I started waaaay back when. I don't have many thoughts here, but I think I can put up a couple more pretty quickly within the next few weeks. I have been having many long discussions with @gojeffcho and @jasonpkaplan on Twitter about the quality of recent Zelda games (namely, Skyward Sword) compared to the older ones. As a result, I'll have material for a review/opinion piece on Skyward Sword AND Ocarina of Time to share before too long.
Otherwise, I'm just going to see where this goes. ;D
Subscribe to:
Posts (Atom)