You DO NOT need the PIN for a browser app.  It is ONLY REQUIRED for desktop
apps.

1.  oauth_consumer_key = Consumer key given to you by Twitter
2.  oauth_token = The token
3.  oauth_signature_method = "HMAC-SHA1"
4.  oauth_signature = computed HMAC-SHA1 hash value of the other parameters
5.  oauth_timestamp = the number of seconds since Jan 1 1970
6.  oauth_nonce = a unique value.  I would suggest using a GUID.

For the signature, here is an example of what needs to be hashed:  this is a
GET request to "rate_limit_status"

GET&http%3A%2F%2Ftwitter.com%2Faccount%2Frate_limit_status.xml&oauth_consumer_key%3DYourConsumerKey%26oauth_nonce%3D0f419e62-8680-468f-a647-0532706af529%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1263999954%26oauth_token%3D36116361-8YRR4w9rRwz7HOc0nYTMmNWjCDrQdFYtnPwsiP7jm%26oauth_version%3D1.0

You would take this value and hash it.  The KEY to the hash would be
"yourConsumerSecret&tokenSecret", and "tokenSecret" is allowed to be blank
for the cases where you don't have the secret.

Even though the documentation says the "oauth_version" is optional, I
include it anyway.

Ryan

On Wed, Jan 20, 2010 at 9:59 AM, eco_bach <bac...@gmail.com> wrote:

> Hi
> According to the offcial OAuth spec, in order to obtain an access
> token, the consumer request MUST contain the following parameters
>
>                1 oauth_consumer_key:The Consumer Key.
>                2 oauth_token:The Request Token obtained previously.
>                3 oauth_signature_method: The signature method the Consumer
> used to
> sign the request.
>                4 oauth_signature: The signature as defined in Signing
> Requests
> (Signing Requests).
>                5 oauth_timestamp: As defined in Nonce and Timestamp (Nonce
> and
> Timestamp).
>                6 oauth_nonce: As defined in Nonce and Timestamp (Nonce and
> Timestamp).
>
> I'm developing a web application in Flash and hence, NOT using the
> extra pin handshake. (at least I've been told it wasn't necessary, my
> Application Type is defined as 'Browser').
>
> So far, I've been unsuccessful, 'verified'= false in my access token
> request handler.
> Can someone cofirm for me that I in fact don't need the PIN, and if
> so, do I need to explicitly define all six parametres above in my
> request?
> Thanks for any feedback!
>

Reply via email to