This thread is kind of a dupe of http://groups.google.com/group/twitter-development-talk/browse_thread/thread/a27298269b429a15
I'd suggest we move the convo over there? My last post in that thread describes why I think the current flow is not secure, which is essentially what Dossy says I think. That last token passed from Twitter to the app cannot simply be the original permanent token. On Apr 17, 7:29 am, Dossy Shiobara <[email protected]> wrote: > On 4/16/09 10:56 PM, Dimebrain wrote: > > > It should be no different than if you persisted the access token > > yourself and went to call the API a few weeks after doing so, you > > should be able to trust that your token won't expire. > > But this still leaves the question of "how do I get and/or know the > token secret for the returned AccessToken" ... this is the current > execution path: > > Consumer invokes oauth/request and receives a RequestToken and > corresponding token secret. Consumer directs user to oauth/authenticate > with RequestToken. Assuming user authenticates and authorizes the > application, Provider directs user back to callback URL with an > AccessToken. Consumer now has a RequestToken and secret, and > AccessToken without its secret. > > That AccessToken is effectively useless to the Consumer. > > -- > Dossy Shiobara | [email protected] |http://dossy.org/ > Panoptic Computer Network |http://panoptic.com/ > "He realized the fastest way to change is to laugh at your own > folly -- then you can let go and quickly move on." (p. 70)
