You can kind of delegate individual requests with OAuth, depending on what the use case is, by generating a signed URI and handing it off to a fourth party to use.
In the TweetDeck/TwitPic case, TweetDeck could generate a signed URI for POSTing the desired tweet, then pass the URI off to TwitPic to actually make the request. Note that this only works if the fourth party doesn't need to modify the request parameters. However, they _can_ modify the request body as long as the content-type isn't application/x-www-form-urlencoded (and the provider hasn't implemented the draft spec for OAuth request body signing). Mike On Thu, Mar 26, 2009 at 5:37 AM, Ben Laurie <[email protected]> wrote: > > On Wed, Mar 25, 2009 at 4:13 PM, Ivan Kirigin <[email protected]> > wrote: > > > > Hi, > > > > I recently integrated Twitter's OAuth into my site, http://tipjoy.com > > > > It's a great user experience and a lot like Facebook Connect. > > > > But I ran into a problem when developing our API for Twitter > > applications to use Tipjoy for payments. OAuth tokens aren't > > transferable like a username & password. For example, a Twitter user > > on TweetDeck can input a username & password, which lets TweetDeck > > post a picture to TwitPic. If TweetDeck were granted OAuth access to > > the user's Twitter account, TwitPic couldn't verify the access tokens > > easily, and couldn't communicate to Twitter with them. > > > > How can we power this 4-legged OAuth? Twitter could act as an > > intermediary, to tell TwitPic that the request from TweetDeck is > > authorized. > > Aha. This is delegation, something I wanted to put into OAuth first > time round but, well, there was resistance :-) > > I believe the IETF are also interested in delegation. > > > > > I'm told Facebook is coming up with a solution for Facebook Connect. > > As the environment for social apps becomes more connected, this > > communication between 3rd parties about users on the OAuth provider > > become more important. > > > > What do you all think? > > > > Thanks, > > Ivan > > http://tipjoy.com > > > > > > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
