OAuth Callback procedure for mobile devices

views:

674

answers:

+2 Q:

OAuth Callback procedure for mobile devices

Hello,

I am designing a Netflix Application for BlackBerry mobile devices. I am currently working on the OAuth. I am at the point where I can generate a Netflix login page in an embedded browser field in my application.

After the user signs in, Netflix will send the user from the login page to a specified callback url. The callback url will also contain an authorized token, which is then needed to send back to Netflix.

My question is: How am I supposed to do this on a mobile device? Is there a procedure set in place? I am unsure how I can extract the authorized token from the callback URL and send it back to my application. From my research, it does not appear that Netflix will provide a PIN/verifier for the user to then type into the application...

Does anyone have any ideas?

Thanks...

+1 A:

There are two ways to deal with callbacks on mobile devices. The first is to set the value of oauth_callback to 'oob'. This is done if your device is unable to receive callbacks. See the OAuth spec, section 2.1:

Temporary Credentials

Using 'oob' should cause the server (Netflix) to display a verification code that the user then types into your application to authorize the request token.

The second way, if your device supports it, is to use a custom URI scheme. I know that on iPhones, you can register a callback with a custom scheme that is assigned to your application. Is there a way to do this on a BlackBerry? If so, I'd use this approach as it's a much better user experience.

Paul Osman 2010-01-23 03:33:35

Thanks for your help, Paul. I don't think I can use a custom URI scheme. I tried setting oauth_callback to "oob", and after I logged in at the Netflix login page, the only thing that appeared was a "Go to Netflix" button, which brought me to the Netflix site...

behrk2 2010-01-23 08:04:19

Hi behrk2. Hmm, if the BlackBerry doesn't support custom URI schemes and Netflix doesn't support out-of-bound callbacks, it sounds like you might have to take it up with Netflix. Have you tried posting on their support forums, asking what they suggest for devices that can't accept callbacks?

Paul Osman 2010-01-23 17:30:40

btw, here is a link to the OAuth topic in the Netflix forums: http://developer.netflix.com/forum/read/27647

Paul Osman 2010-01-23 19:42:16

Thanks for the link. I have posted in the Netflix forums, however it seems that no one is going to respond. I have scanned all of the Netflix documentation, including the link you sent me, and I found no useful information on how to handle this situation...

behrk2 2010-01-23 22:06:47

Looks like someone responded to your post: http://developer.netflix.com/forum/read/64879So if they only support OAuth 1.0 (not 1.0a) then you're out of luck with oob configurations. I'd follow the advice that they gave you on the Netflix forums. Set the callback URL to some page you host that instructs the user to restart your app... on restart, exchange the request token (now authorized) for an access token and you should be good to go. It's clunky, but without support for registering uri schemes or for oob, it's all you can do really.

Paul Osman 2010-01-23 23:32:40

Well, I hope they support 1.0a soon! Not a very easy experience for my users. So, am I essentially performing the request token process again? But since the user has logged in, it will return an authorized access token instead? I'm wondering if, instead of having the user restart the application, they can click a button in my application saying when they have signed in with Netflix. What do you think?

behrk2 2010-01-24 02:59:42

I'm surprised that they don't support 1.0a frankly. They've had over 6 months to do it. You could definitely present a button to the user saying they've authorized the token. When they click on the button, you'd try to exchange the request token for an access token. If it fails, you'd have to start the process over (request an access token, direct the user to the authorize endpoint, etc). I agree that the button approach would be a better user experience than restarting the application.

Paul Osman 2010-01-24 16:53:31

Thanks for your help!

behrk2 2010-01-24 17:01:31

I found these two pages helpful:

philfreo 2010-05-13 15:08:29

+1 A:

Instead of embedding browserfield, you may be better off creating a seamless (i.e. browserless) user experience by simply letting the mobile app do all the necessary handshaking with netflix. You'll need to set up a public domain server as your callback host for OAuth and have that negotiate your new session key/secret key and pass it back to your device. All the while, the device will need to maintain an open http connection to your public server in order to finally receive the credentials and proceed to request the user data directly from netflix. The whole round trip should not take more than roughly 15 seconds so HTTP timeouts should not be an issue. You'll need to first study(i.e. "screen scrape") the netflix login html page to extract the necessary/relevant html form param names etc. Good luck.

Oke Uwechue 2010-06-05 04:13:47

This idea interests me. I had thought about it in the past, but was unsure how to go about implementing it. Will try it out. Thanks!

behrk2 2010-06-17 15:32:04

ansaurus

tags:

views:

answers:

OAuth Callback procedure for mobile devices

related questions