Where is the oauth_verifier ?

[Bjorn Tipling]

I'm not seeing it. I'm following the specifications as outlined here:

http://tools.ietf.org/html/draft-hammer-oauth-10#section-2

and here:

http://oauth.net/core/1.0/#anchor9

I have Application Type set to "Browser"

callbackURL set to my callbakck URL

Everything seems to work up until the user clicks "Allow" Once the
user clicks "Allow" all the callback gets is the oauth_token, I don't
see an oauth_verifier.

How do I get this? What am I doing wrong? "oauth_verifier" is not in
the GET path it's not in the POST body. The only actual POST is when
the user clicks the "Allow" button and that sends a POST to twitter
with an authenticity token and the oauth token but no oauth_verifier
anywhere. It's no where. And it's required. What is going on?

[Taylor Singletary]

Hi Bjorn,

This is one area where we aren't spec-compliant but would like to move
to compliance in the near future. Under OAuth 1.0a, we should be
returning an oauth_verifier to you in the callback for the
authorization step, regardless of the type of authorization you are
performing. Today, we are not. Similarily, we only expect the
oauth_verifier to be present on the access_token step for applications
that have indicated the desktop "PIN code" flow (where the verifier is
hand-entered by the user, then passed as part of the access token
exchange step).

In the future, we'll look into a non-invasive way to phase requirement
of the oauth_verifier for all access token requests, regardless of
desktop vs. web status, as the spec dictates.

Taylor

[Bjorn Tipling]

Oh I see, I didn't even try to get access once I saw there was no
oauth verifier but after looking at some of the other samples I see
they don't expect an oauth_verifier. Works without using an
oauth_verifer.

Got it. Guess we'll have to fix our implementation when you guys
support this part of the spec.

Thanks for the quick reply.

On Apr 6, 2:24 pm, Taylor Singletary <taylorsinglet...@twitter.com>
wrote: