what i would do (with that caveat that i'm speaking as myself and not necessarily as a twitter employee ;P):
make a proxy that uses xauth - you could still ask for a username/password, use xauth to do the exchange with twitter, and then proxy the basic auth to oauth. the caveat is that i stated that xauth will not be allowed for "web applications", but i can think of a few creative ways around that. alternatively, assuming that your proxy can still see twitter.com (it is positioned somewhere where the DNS isn't poisoned), then there is nothing preventing that proxy from doing the oauth web workflow on behalf of the user. definitely not kosher, and may not scale... On Fri, Feb 12, 2010 at 3:40 AM, yegle <[email protected]> wrote: > I read the WRAP draft. I have to say that it's much simpler than OAuth > 1.0a. > It doesn't need too much modification to twitter client to support API > proxy, if xauth is widely available. > > Thank you all for your replies and concerns :-) > > > On Feb 12, 7:04 pm, yegle <[email protected]> wrote: > > Oh yes I forgot that HTTP proxy resolves the domain name at server > > side :-) > > > > On Feb 12, 6:18 pm, Harshad RJ <[email protected]> wrote: > > > > > > > > > > > > > > > > > On Fri, Feb 12, 2010 at 12:17 PM, yegle <[email protected]> wrote: > > > > Nope, it doesn't work :-( > > > > All DNS queries to twitter.com inside China is poisoned and all > > > > twitter's available IP is blocked. > > > > > Oh btw, I meant HTTPS proxies that sit outside the firewall. > > > > > I assume that DNS queries for twitter.com would be run by the proxy > server > > > and not the client. (Tried to RTFM but still not very familiar with the > > > protocol) > > > > > -- > > > Harshad RJhttp://hrj.wikidot.com > -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
