Matt Sanford <[email protected]> writes:
> 2. If your application is registered as a desktop application there
> will be a PIN the user must enter in your application
>
> Details: In the current code desktop applications end in a dead-
> end page. This new flow will give the user a PIN that they enter in
> the application and that must be provided to swap a request token for
> an access token. This will help secure tokens for desktop applications
> since the security of the consumer key and secret cannot be relied
> upon.
> Feedback: We are planning to make this a required step but I am
> open to discussion if anyone feels there is a compelling case for
> desktop applications without a PIN. Email me directly with feedback.
Let me make sure I understand the proposed flow correctly:
1. Application uses consumer key/secret to get request token, sends
user to Twitter authentication page.
2. User authenticates with Twitter and authorizes application.
3. Twitter gives user PIN number which they then enter in to the
application.
4. Application uses PIN and request token to get access token and
proceeds as normal with OAuth-authenticated requests.
With this setup, will users be able to authenticate multiple instances
of the same application? If so, it might be useful to allow the user to
optionally assign a name to the application instance, so long as that
doesn't make the user experience too confusing.
- Michael
--
mouse, n: A device for pointing at the xterm in which you want to type.
Confused by the strange files? I cryptographically sign my messages.
For more information see <http://www.elehack.net/resources/gpg>.
