Use Ubuntu SSO authentication and store authentication-key

My understanding was that it is using OAuth, but you're certainly right that it's not storing the authentication key

This is annoying enough that we should try and solve it at the least by saving the credentials. If possible it would be nice to grab the credentials directly since it's SSO, and the creds likely exist if the user installed from the store.

I'm not sure there is a way to solve this without opening us up for a security nightmare. There is nothing that we can store that isn't sensitive (i.e. having the authentication token is pretty much the same as having the credentials) and anything that we can safely store is either one-off (and useless after that) or public anyway.

We could potentially utilise something like gnome keyring to store the creds, but then we still need to ask for a password for that (and then probably the OTP).

Is it that annoying to get people to authenticate each upload? If it is, perhaps we could investigate just removing that requirement.
It does mean opening ourselves up to more potential spam though (we could probably cull that, ensure that the upload at least makes sense.)
This option would ease the development in checkbox (i.e. no OAuth req.) but on the same token it would seem a waste to have put that work into it to drop it (although, sometimes the best thing to do is drop existing good work).

I disagree that storing the authentication token is pretty much the same as storing the user credentials. The Authorization token will allow an attacker to only login to a user's account while the username and password is more serious since users tend to use the same password for different accounts and so storing the password (plain text or encrypted) is a much more serious security issue. I believe other apps that use OAuth safely store the authentication token since users generally have the power to disable authentication tokens easily using their account security options.

Pilot has shipped with the ability to remember the users email address between runs. This makes it less painful, but still not ideal.

I'm marking this as 'In progress', as both Christopher and I worked on this and this case is still not done.
There was a discussion about how should we deal with importing python oauthlib that might not be present on the target system.

After evaluating idea of packaging all required dependencies for Precise and Trusty, we're back to the strategy of conditionally importing oauthlib and providing the OAuthTransport only when the import was successful.