Check out OAuth 1.0a: http://groups.google.com/group/twitter-api-announce/browse_frm/thread/472500cfe9e7cdb9?hl=en
You can use oauth_callbacks again. On Sun, Jun 28, 2009 at 14:14, Simbolo<[email protected]> wrote: > > I understand why the oAuth callback mechanism was disabled because of > the recent vulnerability. > > But a better approach, that maintains security, and avoids the > vulnerability is to lock down the return URL that the user is > redirected to after authrizing their token. > > Twitter now redirects to a static URL we specifiy on the application > page, which is fine. The problem is when our apps have different sign > in flows. > > Sometimes we will register a user via Twitter, other times, an > existing user wants to add a Twitter function to their account, for > example. > > I propose that instead of locking down the return URL to a single one, > we instead set base domains. > > This way I can specify any return URL as the callback, but it will > only be valid and used IF the domain in that URL matches the domain on > the applications account. > > > The main problem I have is that I have the same application run on > different domains, such as example.com, example.de, example.fr etc. > > Redirecting users back to example.com all the time breaks the flow, as > the user is actually using the French version as example.fr. > > Creating multiple applications can be a headache. > -- Abraham Williams | Community Evangelist | http://web608.org Hacker | http://abrah.am | http://twitter.com/abraham Project | http://fireeagle.labs.poseurtech.com This email is: [ ] blogable [x] ask first [ ] private.
