Pop-out OAuth2 flow to trusted browser

Pop-out OAuth2 flow to trusted browser instead of putting it inside a webframe within the app which can be spied if Gitter was malicious.

An important facet of OAuth2 authorization code and implicit grants is that the user agent that serves as transport for the authorization must be independent of the client, and must be trusted by the end user. It is possible for a user agent to mislead the user about whether their credentials are being stored or transmitted to an unintended location, and a user agent could also give the OAuth2 server false input to the authorization prompt.

The Gitter Desktop app has no need to demand that level of trust from its users. Instead, the Gitter app should rely on the operating system to invoke the user's preferred web browser to serve as transport for the authorization. Anything less is a misuse of OAuth2.

ref, https://gitter.im/gitterHQ/gitter?at=59d3dccdb20c642429bb7734

Workaround

See https://gitlab.com/gitlab-org/gitter/desktop#manually-sign-inauthorize

Edited Apr 29, 2019 by Eric Eastwood