oAuth passthrough

73 views
Skip to first unread message

Scott Herbert

unread,
Apr 26, 2011, 4:01:22 PM4/26/11
to Twitter Development Talk
I'm sure this has been asked thousands of time, but I can't locate
where so I'll ask it anyway.

I'm in the early stages of implementing a web app which uses Twitter
(and Facebook) as authorising agents for the user to login. There is
currently (currently in the design) no direct user login (i.e. no
username/password combo for my site) just authorisation via the two
largest social media sites.

This is done in order to simplify the sign-up process (three click and
your signed-up one and your logged in, and no additional password to
remember) and add to the sites security (fb and twitter's security
system is better then I could design).

As I say I'm in the early stages, but I thought it's prudent to think
ahead and so I was brainstorming an API (what data could I expose to
third parties, could I take payments/sales and make payments etc.) and
hit a snag.

Since I'm not allowing users to have their own passwords for the site
and all logins are via oAuth (I don't know if FB call it oAuth, but
the workflows the same) how do I allow third parties to log users in?

I can't provide them my tokens (Even I'm not that insane), and I've
got a feeling using my server as an proxy to pass the oAuth data back
and forward would be against the rules (or just not work) as it feels
like something I would ban to prevent phishing.

So how do I allow users to login to my site via twitter (and for a
bonus point facebook) using third party apps (mobile, desktop, web
etc.)

Thanks in advance

Taylor Singletary

unread,
Apr 26, 2011, 4:32:35 PM4/26/11
to twitter-deve...@googlegroups.com
Hi Scott,

There's an extension to OAuth that our team developed for this purpose -- while it's not incredibly wide-spread, it's a viable way to defer credentials.

Check out http://dev.twitter.com/pages/oauth_echo -- the docs are very Twitter-centric in this case, but the model can really be generalized to any API that has a distinct credential validation method (and even if it doesn't, you can piggy-back onto an alternate method).

@episod - Taylor Singletary



--
Twitter developer documentation and resources: http://dev.twitter.com/doc
API updates via Twitter: http://twitter.com/twitterapi
Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list
Change your membership to this group: http://groups.google.com/group/twitter-development-talk

Scott Herbert

unread,
Apr 27, 2011, 6:48:47 PM4/27/11
to Twitter Development Talk
Thanks that looks exactly like what i was looking for

On Apr 26, 9:32 pm, Taylor Singletary <taylorsinglet...@twitter.com>
wrote:
> Hi Scott,
>
> There's an extension to OAuth that our team developed for this purpose --
> while it's not incredibly wide-spread, it's a viable way to defer
> credentials.
>
> Check outhttp://dev.twitter.com/pages/oauth_echo-- the docs are very
> Twitter-centric in this case, but the model can really be generalized to any
> API that has a distinct credential validation method (and even if it
> doesn't, you can piggy-back onto an alternate method).
>
> @episod <http://twitter.com/episod> - Taylor Singletary
Reply all
Reply to author
Forward
0 new messages