Obtaining access token WITHOUT using a PIN

3 views
Skip to first unread message

eco_bach

unread,
Jan 20, 2010, 9:59:05 AM1/20/10
to Twitter Development Talk
Hi
According to the offcial OAuth spec, in order to obtain an access
token, the consumer request MUST contain the following parameters

1 oauth_consumer_key:The Consumer Key.
2 oauth_token:The Request Token obtained previously.
3 oauth_signature_method: The signature method the Consumer used to
sign the request.
4 oauth_signature: The signature as defined in Signing Requests
(Signing Requests).
5 oauth_timestamp: As defined in Nonce and Timestamp (Nonce and
Timestamp).
6 oauth_nonce: As defined in Nonce and Timestamp (Nonce and
Timestamp).

I'm developing a web application in Flash and hence, NOT using the
extra pin handshake. (at least I've been told it wasn't necessary, my
Application Type is defined as 'Browser').

So far, I've been unsuccessful, 'verified'= false in my access token
request handler.
Can someone cofirm for me that I in fact don't need the PIN, and if
so, do I need to explicitly define all six parametres above in my
request?
Thanks for any feedback!

ryan alford

unread,
Jan 20, 2010, 10:09:53 AM1/20/10
to twitter-deve...@googlegroups.com
You DO NOT need the PIN for a browser app.  It is ONLY REQUIRED for desktop apps.

1.  oauth_consumer_key = Consumer key given to you by Twitter
2.  oauth_token = The token
3.  oauth_signature_method = "HMAC-SHA1"
4.  oauth_signature = computed HMAC-SHA1 hash value of the other parameters
5.  oauth_timestamp = the number of seconds since Jan 1 1970
6.  oauth_nonce = a unique value.  I would suggest using a GUID.

For the signature, here is an example of what needs to be hashed:  this is a GET request to "rate_limit_status"

GET&http%3A%2F%2Ftwitter.com%2Faccount%2Frate_limit_status.xml&oauth_consumer_key%3DYourConsumerKey%26oauth_nonce%3D0f419e62-8680-468f-a647-0532706af529%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1263999954%26oauth_token%3D36116361-8YRR4w9rRwz7HOc0nYTMmNWjCDrQdFYtnPwsiP7jm%26oauth_version%3D1.0

You would take this value and hash it.  The KEY to the hash would be "yourConsumerSecret&tokenSecret", and "tokenSecret" is allowed to be blank for the cases where you don't have the secret.

Even though the documentation says the "oauth_version" is optional, I include it anyway.

Ryan
Reply all
Reply to author
Forward
0 new messages