1252
[The Guardian] There is no moral high ground for Reddit as it seeks to capitalise on user data
(www.theguardian.com)
This Community is intended for posts about the Lemmy.world server by the admins.
For support with issues at Lemmy.world, go to the Lemmy.world Support community.
Any support requests are best sent to [email protected] e-mail.
If you would like to make a donation to support the cost of running this platform, please do so at the following donation URLs.
If you can, please use / switch to Ko-Fi, it has the lowest fees for us
It's not that simple, because the third party apps ship with a single api key. So I used Relay for reddit, and used the same api key as everyone else on that app. You could create an app, and then have everyone make their own key, but that is just asking for trouble. Definitely too technical for most people, and you would probably need to put in billing info for a scenario where you go above the free-tier call limit.
update: removed the comment because I was looking at the Api docs again and it seems that despite using the bearer token, metrics and rate limiting still are based off the app client ID, which is super stupid. originally stated that rate limits would be by oauth client which would be per user, 100 requests a minute, but it is actually 100 requests per minute app wide, which is just unfeasible for large scale
Well, I don't know how the Reddit API works, but what you described is generally bad practice, as is my understanding. The Oauth token's allow the app to perform actions on the behalf of authenticated users, but they still need to use the reddit API, and I imagine an API key, to perform those actions. You generally aren't supposed to use Oauth as a access authentication mechanism.
At least pricing is per Oauth key, but still, the pricing burden is still going to fall on the developers for these apps who reddit now views as their "competitors", despite making a product that supported reddit's business for years.
Oauth 2 is an authorization standard, that's basically what it is meant for. It's intended to be used as a identification system for a client to be able to tell a first party hey I'm me through the usage of a third party without ever giving the third party to have your password.
Discord, Facebook/Meta, Google(most services), Soundcloud, all those use Auth 2 based API's, oauth 2 is used basically everywhere for the same focus that Reddit is trying to do
Like you said it can be dangerous if you authorize a third party app with more scopes then needed(scopes help restrict what the app can do on your behalf), honestly I'm willing to bet that rif and Apollo both used the oauth2 API at least in some part, otherwise I don't think it would have been able to allow you to upvote or downvote posts or post comments as you. A good way to tell if it was using it or not is if you had to login and it brought you to a page that said authorize this app with Reddit, if it showed that you were using oauth 2
I haven't personally had to use the Reddit Api I've only skimmed it myself(I was looking into it then the whole bombshell happend and I bailed), but I have to use the Discord API daily with developing my Discord bot and with the Discord API once you have the bearer token every form of authentication with that specific user goes through that token instead, it's really only used for the website settings page though anything actually on the client itself still uses a standard bot token
Also I fully agree, Reddit has shown that it has no respect for the third parties on the platform so I fully expect just going to get worse, they wern't planning on negotiating price, they set it that way to force third party out