OAuth 1.0a changes and PIN-based authentication shipped

507 views

Skip to first unread message

Doug Williams

unread,

Jun 9, 2009, 7:23:13 PM6/9/09

to Twitter Development Talk, twitter-ap...@googlegroups.com

Today we deployed code that implemented the changes that accompanied the update to the 1.0a OAuth specification. LuckyCal has a great article on the subtle differences that come with the update [1] so please peruse this article if you are getting 401 errors with your implementation.

Callbacks for non-desktop apps are now supported with these rules:

- When making the call to request_token [4] (server-to-server), you can pass &oauth_callback=[url here]

- The response from request_token will contain oauth_callback_confirmed=true to confirm we received it.

- The user will be sent to twitter.com as usual

- When the user is finished they will be redirected to the URL provided in the first step along with a new parameter, oauth_verifier [1]

- The call to access_token [5] to exchange the request token for an access token MUST contain the oauth_verifier parameter as sent in the redirect.

- If you want to use your pre-configured callback, then do not include a oauth_callback parameter.

- If you want to force the PIN-based solution, send oauth_callback=oob with your request to oauth/authenticate

Additionally, as a couple developers have already noticed, we deployed the code that implemented PINs for desktop apps originally mentioned by Matt. Please review the linked documentation [2] and discussion [5] and let us know what questions you have.

If you find that your browser-based OAuth application is returning a PIN as if it were a desktop app, then remove the oauth_callback=oob parameter from your signature, if it exists.

1. http://blog.luckycal.com/?p=121

2. http://apiwiki.twitter.com/Authentication

3. http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-oauth-request_token

4. http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-oauth-access_token

5. http://groups.google.com/group/twitter-development-talk/browse_frm/thread/1c48fedf4ae7ed52/7d772dedcc756cbf#7d772dedcc756cbf

Thanks,

Doug

Matt Sanford

unread,

Jun 9, 2009, 8:12:45 PM6/9/09

to twitter-ap...@googlegroups.com, Twitter Development Talk

Hi all,

Quick update on this. If you're using the latest OAuth gem (v0.3.5 and above) and you don't specify an oauth_callback to the get_request_token method it will put "oob" in there for you. The "oob" stand for "out of band" and forces the PIN-based flow … probably not what you wanted. I'll talk to the gem developer about a fix for this but if you're using the gem the fix in the mean time is to pass your expected callback into the get_request_token method like so:

consumer.get_request_token(:oauth_callback => "http://yousite/yourpath")

Thanks;

— Matt Sanford

Reply all

Reply to author

Forward

0 new messages