Hi Rufo,

The best way to approach this scenario is that you would:

  A) Collect access tokens through xAuth on your iPhone application.
  B) Using some secure means, you would transmit the access token to your
server-side application, associating them with the user
  C) For new users to your site who aren't already associated through xAuth
on your iphone application, you would use the standard OAuth flow to obtain
an access token

The key takeaway is not to surprise your users. If it isn't clear that by
signing in on the iPhone it will also create a server-side integration on
your website, it should be. Take care in making sure that access tokens
don't "bleed" in that it's not possible for a user to use an access token
belonging to another user.

Taylor Singletary
Developer Advocate, Twitter
http://twitter.com/episod


On Mon, May 24, 2010 at 8:45 AM, Rufo Sanchez <r...@rufosanchez.com> wrote:

> I'm currently developing an iPhone app that interfaces with Twitter.
> On initial purchase and setup, the application would function
> completely independent of our service, interacting directly with
> Twitter, and can continue to be used without our service. This is the
> typical use case of xAuth, so no problems here.
>
> However, if the user chooses, our server will monitor Twitter on
> behalf of the user for the purpose of sending push notifications. This
> choice would be opt-in, obvious in function and be described clearly.
>
> For the best user experience, I'd like to be able to just pass the
> OAuth tokens to the server for its use, rather than requiring the user
> to go through an additional round of authentication. Is this
> acceptable, or would I need to force the user to go through a round of
> OAuth authentication?
>
> I tried to research this a bit, but didn't see anything that directly
> addresses this issue. Thanks for any advice!
>
> Rufo
>

Reply via email to