tags:

views:

90

answers:

1
+1  Q: 

With Twitter oAuth authorization, how do you specify what twitter username?

Developing a web application that I've registered with Twitter. In this app, I might have 10 different Twitter Identities that I want to either Allow or Deny access for the application to.

For example:

https://api.twitter.com/oauth/authorize?oauth_token=XXXXXXXXXXXXXXXXXXXXXXXX&oauth_callback=http:://localhost:24649/TwitterIdentity/GetTwitterAuthorizationCallback/

It always just defaults to whatever my twitter account is logged in as and I have to specify Logout, then sign-in with new account. Its almost like I need an extra querystring parameter such as

https://api.twitter.com/oauth/authorize?oauth_token=XXXXXXXXXXXXXXXXXXXXXXXX&oauth_callback=http:://localhost:24649/TwitterIdentity/GetTwitterAuthorizationCallback/&ForUsername=billgates

A: 

Note that in the general scope of authorization, the authorized agent does not necessarily know the identity of the user on whose behalf it acts. In other words, there could be an implementation where your app can be authorized to read the Twitter stream of updates, while still not knowing which identity that stream belongs to. Adding the parameter you ask for would be information disclosure in this case, as your app will need a piece of information that the system is designed not to provide.

Or to put it in a real life example - imagine a valet parking, where instead of giving you a parking ticket and taking the keys to the car, the valet would ask you for your SSN just to park the car, just because the valet parks cars for other people too.

Franci Penov  2010-09-07 20:00:36
I was trying to figure out how to get the login out of the session when hitting the authorize page. It seems like it's not technically possible. Thanks for the explanation.
Shane  2010-09-08 11:42:25
Once your app is authorized, you most probably can get the identity from Twitter API. So, you could keep assoiciation of authorization tokens and identities. You just can't request authorization for specific identity.
Franci Penov  2010-09-08 16:24:45
That is what I ended up doing. I have a table that i store the request token in during authorization, then upon callback, I match it up via that request token. So I will know the user. Thanks again.
Shane  2010-09-09 12:15:13

related questions

XSRF protection in an AJAX style app
Can OAuth be used to schedule Twitter status updates in the future?
2 legged oauth - looking for information
How to get Uri.EscapeDataString to comply with RFC 3986
OAuth - lexicographical byte value ordering in c#
OpenID authentication from an installed application
What is excatly the technology stack defining Web APIs?
Problem with Google Hybrid Protocol (OpenID + OAuth) Demo
How to integrate google's Step2 with acegi security in the Grails Framework?
OAuth alternative?
OAuth? ,OpenID? Neither? Which one should my site support?
Twitter oAuth callbackUrl - localhost development
Example of a good Webservice
Sorting by key and value in case keys are equal
What does the oauth guide mean by "8 bit array"?
Using OAuth for server-to-server authentication?
Getting 401 on Twitter OAuth POST requests
How do I develop against OAuth locally?
Can OAuth work with mobile phone applications?
Security of REST authentication schemes
How do you manage api keys
How can I verify a Google authentication API access token?
How do you debug an ASP.Net application accessing an OAuth secured API?
oAuth REST and C# What's the missing piece
PHP Tutorial for OpenId and OAuth