[twitter-dev] Obtaining access token WITHOUT using a PIN

2010-01-20 Thread eco_bach
Hi
According to the offcial OAuth spec, in order to obtain an access
token, the consumer request MUST contain the following parameters

1 oauth_consumer_key:The Consumer Key.
2 oauth_token:The Request Token obtained previously.
3 oauth_signature_method: The signature method the Consumer 
used to
sign the request.
4 oauth_signature: The signature as defined in Signing Requests
(Signing Requests).
5 oauth_timestamp: As defined in Nonce and Timestamp (Nonce and
Timestamp).
6 oauth_nonce: As defined in Nonce and Timestamp (Nonce and
Timestamp).

I'm developing a web application in Flash and hence, NOT using the
extra pin handshake. (at least I've been told it wasn't necessary, my
Application Type is defined as 'Browser').

So far, I've been unsuccessful, 'verified'= false in my access token
request handler.
Can someone cofirm for me that I in fact don't need the PIN, and if
so, do I need to explicitly define all six parametres above in my
request?
Thanks for any feedback!


Re: [twitter-dev] Obtaining access token WITHOUT using a PIN

2010-01-20 Thread ryan alford
You DO NOT need the PIN for a browser app.  It is ONLY REQUIRED for desktop
apps.

1.  oauth_consumer_key = Consumer key given to you by Twitter
2.  oauth_token = The token
3.  oauth_signature_method = HMAC-SHA1
4.  oauth_signature = computed HMAC-SHA1 hash value of the other parameters
5.  oauth_timestamp = the number of seconds since Jan 1 1970
6.  oauth_nonce = a unique value.  I would suggest using a GUID.

For the signature, here is an example of what needs to be hashed:  this is a
GET request to rate_limit_status

GEThttp%3A%2F%2Ftwitter.com%2Faccount%2Frate_limit_status.xmloauth_consumer_key%3DYourConsumerKey%26oauth_nonce%3D0f419e62-8680-468f-a647-0532706af529%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D126354%26oauth_token%3D36116361-8YRR4w9rRwz7HOc0nYTMmNWjCDrQdFYtnPwsiP7jm%26oauth_version%3D1.0

You would take this value and hash it.  The KEY to the hash would be
yourConsumerSecrettokenSecret, and tokenSecret is allowed to be blank
for the cases where you don't have the secret.

Even though the documentation says the oauth_version is optional, I
include it anyway.

Ryan

On Wed, Jan 20, 2010 at 9:59 AM, eco_bach bac...@gmail.com wrote:

 Hi
 According to the offcial OAuth spec, in order to obtain an access
 token, the consumer request MUST contain the following parameters

1 oauth_consumer_key:The Consumer Key.
2 oauth_token:The Request Token obtained previously.
3 oauth_signature_method: The signature method the Consumer
 used to
 sign the request.
4 oauth_signature: The signature as defined in Signing
 Requests
 (Signing Requests).
5 oauth_timestamp: As defined in Nonce and Timestamp (Nonce
 and
 Timestamp).
6 oauth_nonce: As defined in Nonce and Timestamp (Nonce and
 Timestamp).

 I'm developing a web application in Flash and hence, NOT using the
 extra pin handshake. (at least I've been told it wasn't necessary, my
 Application Type is defined as 'Browser').

 So far, I've been unsuccessful, 'verified'= false in my access token
 request handler.
 Can someone cofirm for me that I in fact don't need the PIN, and if
 so, do I need to explicitly define all six parametres above in my
 request?
 Thanks for any feedback!