I've been working with OAUTH and wrote a tiny client that demonstrates some aspects of working with Twitter's OAUTH infrastructure.
They require that all requests be signed, so that security information is encoded in the request in a public key form, that can be decoded on each side, to verify authenticity. It seems that once you've obtained a valid token and key for the user via the OAUTH mechanism, it shouldn't matter (and, indeed, from Twitter's point of view) does not matter. Once an application is registered with Twitter, you can use that application's credentials to obtain user credentials that allows the application to effect things in the user's Twitter stream and account. On Jan 21, 4:35 pm, Flapjack <[email protected]> wrote: > I would like to connect to a remote web service to retrieve data. > However, in doing so, I must provide this web service with credentials > to authenticate the client, (to disallow anonymous requests), before > data is returned. The only way I can think of to do this is by simply > passing along the credentials in the querystring with each request. > This method seems rather clunky, not to mention sessionless. Is there > a better technique? This web service is also entirely under my > developmental control, so I can make any necessary changes. > > Also, on the side of the web service, I would like to ensure that ONLY > requests that come directly from an android handset will be accepted > (have data returned). In other words, if that same request comes in > from a browser or iFone, data will not be returned. User-agents can be > easily spoofed so I don't want to rely on that. Is this at all > possible? The only way I can think of would be to keep the parameters > of each service call a secret (is this even possible?) so that a user > can't recreate the querystring, thus throwing an error. > > Looking forward to your input! -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
