Good post, however few questions. I am trying to make Steemit popular at my place by taking some initiatives. Would that qualify to be a contributor report ?
Also when I tried to log in it asks : Do you want to authorize the Steem account @utopian.app to use your posting role?
However when I say Yes, it asks me the owner, active key or master password. Why is so ? If it is going to just use the Posting role, then why the owner, active key or master password is required ? And what are the implication of providing these ? Potentially someone can transfer using these keys.
Hello @sanjeevm.
Sure, running initiatives to make Steemit more popular is exactly the kind of contributions you can post on Utopian. You will post on Utopian for example once one of your initiatives is done and write about how you made this initiative, how many people joined, where it was taken, the results, etc.
Utopian uses Steemconnect, that's mantained by Steemit. Utopian never gets your credentials nor it stores them anywhere. It is totally safe. You can use the transfer capabilities to support other contributors on Utopian, but Utopian will never be able to do that without your authorisation.
Let me know you need any help!
When we provide the active key to authorize, will it not get stored in Utopian ? Or its just to authorize once, and then I can change the key ?
I am worried not to share the active key, because anyone can transfer using that key, if it gets exposed.
@sanjeevm absolutely no. Utopian does not store your key. Utopian cannot even see your key. When you login you are using steemconnect. Steemconnect acts as authentication service and just tells Utopian if the login was successful or not. All the actions are then broadcasted through Steemconnect. Utopian knows nothing about your credentials but only who you are on Steemit. In addition Utopian and Steemconnect both use https, the data is encrypted and cannot be read from outside.
I will have to read a bit about steemconnect then. For a quick clarification, if I change the key, after I give permission to utopian, then will it still work ?
And why can't you take only the posting key ?
Hey @sanjeevm read this comment from the mantainer of SteemConnect V2 and CEO of Busy.org. Everything is well explained there: https://steemit.com/dtube/@elear/18wkyxfc#@ekitcho/re-leprechaun-re-elear-2017108t1638208z-20171008t195118203z
It sounds to me you will be sent to steemconnect for login and steemconnect will use your keys on behalf of utopian.io. Steemfiles.com, and busy.org do this also but only ask for your private posting key. Neither of these sites see your posting key but the software on busy.org can get steemconnect to vote on your behalf, and to post. That is how busy.org works. Steemconnect should give you a dialog of permissions. If you don't trust steemconnect with your active key, don't give it. If you do not trust utopia.app with your money don't give it permission.
@leprechaun funny thing is Utopian is based on the new version of Busy.org. SteemConnect V2 is the next release of SteemConnect that is also supported by Steemit. https://v2.steemconnect.com. Soon Busy.org will also be implementing the V2 version. Utopian is actually using a better version of SteemConnect than Busy.org does at the moment. I gave you more info on the comment below. Thank you
I don't call it "better". If this is where things are going, I might as well give users the option of logging in to steemfiles.com directly with thier posting key when they retire the version Steemfiles uses.
SteemConnect 2 will allow some specific apps to take only Posting keys. For example Steemit.chat will be able to allow login with Steem posting key using Steemconnect 2, the team is working on it. It's possible to do that because Steemit.chat doesn't need to post or upvote any content. (No delegation needed = No active key required)
But for any website like Steemit, Busy, Chainbb, and Utopian, it's not about sign-in, the active key is required to delegate your posting authority to the app account. You can revoke anytime this authority, using the steemconnect dashboard.
That's why, there is no key storage in SC2, everything happens in the browser in a secure way. It only requires your active key once in the browser, to delegate your posting authority to the app.
@ekitcho I see many doubts and many Steemians are simply not using external apps because they don't want to give out their credentials or they don't fully understand how it works. I think there must be a clear explanation about this. I'll probably write a dedicated post but my readers are limited. Something should also come from your side or Steem itself to make the process very clear for new comers and early adopters.
@jerrybanfield this is also material for you. A post about this would be extremely helpful
That's great. I see no reason not to upgarde to v2 when users can use the posting key to login.
As far as I understand the SSL, we can do the same thing through any https client, it need not be a browser only. The point to catch is that, you don't save it in SC2, so that should be all good.
I will have a look at the API in more details soon.
@leprechaun the problem is, we must have a trusted third party service for managing the auth process, so to avoid dangerous external apps to be allowed on requesting the user credentials. Who's better than Steem itself? The first version of SteemConnect is a Busy.org product. SteemConnect V2 is managed also by Steem itself.
I am a programmer and know steemjs and steem/python. Most people already trust Steemit js and backend code to not to save the keys on the server in an irresponsible way. I guess it does not even go to the server. It does not need to. If I can point to @ned saying they manage SC2 I think I can put users at ease. And yes users don't typically understand the keys never go to the servers of Steemfiles.com.