views:

741

answers:

4

there is no practical way that i can see or have read about that lets you authenticate using oauth without making the user leave the app or have to write the pin down before they can post an update..... is there maybe another Rest API that i missed?

+3  A: 

Yup. What you can do is register a custom URI scheme with your application and use it in the oauth_callback parameter. This saves you from having to use out-of-band callback configuration, which requires the user to manually enter a verifier, as you describe.

Details on registering a custom URI scheme for your app here:

http://iphonedevelopertips.com/cocoa/launching-your-own-application-via-a-custom-url-scheme.html

Edited - Elaborating

Using a custom URI scheme, you can instruct an OAuth Service Provider to 'call back' to your iPhone application when a user authorizes a Request Token. This is an alternative to the cumbersome "out-of-band callback" workflow that requires a user to authorize a Request Token, and then be given a verifier code that they manually enter via your application. It is also more analogous to how Web Applications that use OAuth behave.

The steps involved in using a URI scheme would be the following:

  1. Using the above link as a guide, bind a custom URI scheme to your iPhone application (i.e. "myapp://").
  2. When requesting a Request Token from the OAuth Service Provider, provide a URI that uses your custom scheme as the value of the 'oauth_callback' parameter. For example, oauth_callback=myapp://oauth/callback
  3. When you get a Request Token, direct the user to the Service Providers authorization endpoint URL via the browser (launch Safari, send the user to http://example.com/oauth/authorize?oauth_token=token).
  4. If the user chooses to authorize the Request Token, the Service Provider will redirect them (usually via a 301 HTTP Status header) to the URI you provided in step # 2.
  5. Safari will recognize that the URI uses a scheme that is bound to your application and launch your app.
  6. When the callback is called (again, see the above linked guide for details) you will be able to exchange the authorized OAuth Request Token for an Access Token.
  7. Finally, with an Access Token you will be able to access Protected Resources from the OAuth Service Provider.

Does that make more sense?

Paul Osman
could you explain this in more detail?
nathanjosiah
Yeah, absolutely. I'll edit the answer with more details.
Paul Osman
it makes more sense but i cant find anything about a callback parameter in the headers of oauth
nathanjosiah
What version of the spec are you reading? If it's 1.0a, it'll be one of the parameters you send when requesting an unauthorized request token: http://oauth.net/core/1.0a/#auth_step1 If it's 1.0, it'll be when you redirect the user to the authorization URL: http://oauth.net/core/1.0/#auth_step2
Paul Osman
nathanjosiah
when i say "authorized it" i meant i made the custom uri for my app
nathanjosiah
That URL is the OAuth Authorize endpoint. You need to include your oauth_callback parameter when you get a request token (using the OAuth Request Token endpoint). That'd be https://twitter.com/oauth/request_token. You send the oauth_callback parameter along with your other OAuth parameters (oauth_consumer_key, oauth_nonce, etc).
Paul Osman
i added my code in the next answer
nathanjosiah
A: 
nathanjosiah
with this code it executes my "requestDidFail" function....
nathanjosiah
It's been a long time since I've written any code in Objective-C, and I'm unfamiliar with that particular OAuth library, but yes, if this is all you are doing, it is wrong. Sending *just* an oauth_callback param to the Request Token endpoint will fail. You need to send all of the required OAuth parameters, including oauth_consumer_key, oauth_signature_method, oauth_signature, etc... Have you read the spec? (http://oauth.net/core/1.0a/)
Paul Osman
yes i have, multiple versions of it.... as soon as i add the extra callback parameter it gives me an NSURLErrorDomain with a return code of -1012 and i am giving it all the correct information, key, secret, timestamp etc... i dont know what else to do.... ive tried putting the callback in the oauth source code where the header is... but no luck ive tried everything i can think of
nathanjosiah
thank you so much for all your help.... i figured it out, i had to change settings that werent in the code, twitter has it set up differently...
nathanjosiah
ah, glad you got it working!
Paul Osman
A: 

this is why it wont work...

April 23, 2009 Deprecated (REST): Support for the oauth_callback parameter has been removed due to security vulnerability. (discussion)

you have to manually set the callback URL in your application settings

nathanjosiah
A: 

Will facebook supports the custom URL scheme in oAuth redirect URI ?

Suresh Reddy