the oauth_token you are returned is only good for getting an access token from oauth/access_token. that access token is what lets you act as the user.
On Thu, Apr 16, 2009 at 16:36, djMax <[email protected]> wrote: > > Ok got it. This explains more. So when I call authenticate (rather > than authorize) I get back the original oauth_token I was given in > authorize. The thing I'm not getting is how is this authenticated? > Anybody could find this token somewhere and then just become the user > in question right? > > On Apr 16, 5:32 pm, Matt Sanford <[email protected]> wrote: > > Hi there, > > > > I recommend calling verify_credentials with your new token to > > verify the user in question. The screen_name was added as a > > convenience method because there were a great many complaints about > > have to do yet another round trip for the screen_name. > > > > Thanks; > > — Matt Sanford > > > > On Apr 16, 2009, at 02:11 PM, djMax wrote: > > > > > > > > > Sorry if this is a noob question, but how can we verify the > > > screen_name of an OAuth token? It would seem that having it only out > > > of band as a query arg means it's subject to spoofing right? Not sure > > > how I build secure site login with the core identifier may not match > > > the token I'm given. > -- Abraham Williams | http://the.hackerconundrum.com Hacker | http://abrah.am | http://twitter.com/abraham Web608 | Community Evangelist | http://web608.org This email is: [ ] blogable [x] ask first [ ] private. Sent from Madison, Wisconsin, United States
