Scribd Logo
Upload

Welcome to Scribd!

  • OAuth Echo - Identity Veri Cation Delegation (Draft

    Uploaded by

    api-25885864
    22K views2 pages
    This serves as an example of how OAuth identification delegation could work. In this example, a user has authorized Tweetie, and would like to use TwitPic to store photos.

    Original Description:

    Original Title

    OAuth Echo - Identity Verification Delegation (Draft

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This serves as an example of how OAuth identification delegation could work. In this example, a user has authorized Tweetie, and would like to use TwitPic to store photos.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    22K views2 pages

    OAuth Echo - Identity Veri Cation Delegation (Draft

    Uploaded by

    api-25885864
    This serves as an example of how OAuth identification delegation could work. In this example, a user has authorized Tweetie, and would like to use TwitPic to store photos.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    OAuth Echo - identity verification delegation (draft example workflow)

    This serves as an example of how OAuth identification for the user. In the workflow diagrammed below,
    delegation could work, In this example, a user has Tweetie makes a call to TwitPic with the appropriate
    authorized Tweetie, and would like to use TwitPic to parameters, and also passes an OAuth authorization
    store photos. The TwitPic API has an endpoint named header signed to Twitter. TwitPic can then call
    upload which currently takes image data, and a account/verify_credentials with that header.
    Twitter username and password. When Tweetie Twitter verifies the delegated identify verification
    currently calls this endpoint, TwitPic presumably calls request, and TwitPic can then save the image, and
    Twitter to verify the credentials before saving the photo return the image's URL to Tweetie.

    1. Request (C to D)
    POST upload (protected resource, PR)
    ⁃ Includes image to store
    ⁃ Includes x_auth_service_provider to specify who
    to authenticate against (SP's base URL - e.g. http://
    twitter.com/)
    ⁃ Includes x_verify_credentials_authorization
    parameter which is the Authorization header that C
    would have sent to SP if calling account/
    verify_credentials directly
    Consumer (C)

    Delegator (D)

    ⁃ Has consumer token/


    secret for SP ⁃ Has the protected
    ⁃ Has Twitter access resource PR
    token/secret for U

    2. Request to verify identity (D to SP)


    POST account/verify_credentials
    ⁃ Use the x_auth_service_provider value that was
    passed as the contents of the Authorization header
    to determine who SP is
    ⁃ Temporarily store image and make request to Twitter

    3. Verify identity (SP to D)


    ⁃ Authorize the call to account/verify_credentials
    as a regular OAuth call
    ⁃ Return 2xx if valid, else return error
    Provider (SP)

    ⁃ Twitter will also include the <user> object with the


    Service

    response if successful

    OAuth 1.0a Echo - Identity verification delegation (draft example workflow)


    Raffi Krikorian <raffi@twitter.com>
    10 February 2010
    OAuth Echo Restricted - identity verification delegation (draft example workflow)
    This is an extension to the previous workflow in which relay it. To support this workflow, however, the
    the Consumer doesn't want just any Delegator to verify Delegator must also sign the message before passing
    his user. Here the identity verification message is it onto the Service Provider.
    created specifically so only the named Delegator can

    1. Request (C to D)
    POST upload (protected resource, PR)
    ⁃ Includes image to store
    ⁃ Includes x_auth_service_provider to specify who
    to authenticate against (SP's base URL - e.g. http://
    twitter.com)
    ⁃ Includes x_delegator to specify D's unique name with
    respect to SP (e.g. TwitPic)
    ⁃ Includes x_verify_credentials_authorization
    parameter which is the Authorization header that C
    would have sent to SP if calling account/
    verify_credentials directly (both
    x_auth_service_provider and x_delegator, of
    course, should be part of the signature base string)
    Consumer (C)

    Delegator (D)
    ⁃ Has consumer token/ ⁃ Has the protected
    secret for SP resource PR
    ⁃ Has Twitter access ⁃ Has consumer token/
    token/secret for U secret for SP

    2. Request to verify identity (D to SP)


    POST account/verify_credentials
    ⁃ Temporarily store image and make request to Twitter
    ⁃ Use the x_auth_service_provider value that was
    passed as the contents of the Authorization header
    to determine who SP is
    ⁃ Include x_verify_credentials_authorization
    which contains the value of
    x_verify_credentials_authorization from the
    call between C and D
    ⁃ Sign with D's consumer token/secret

    3. Verify identity (SP to D)


    ⁃ Verify the OAuth call as usual
    ⁃ Recognize that this is a Echo Restricted call because of
    Provider (SP)

    the presence of
    Service

    x_verify_credentials_authorization
    ⁃ Verify the nested signature in
    x_verify_credentials_authorization
    ⁃ Make sure that the name of D matches x_delegator
    ⁃ Return 2xx if valid, else return error
    ⁃ Twitter will also include the <user> object with the
    response if successful

    OAuth 1.0a Echo Restricted - Identity verification delegation (draft example workflow)
    Raffi Krikorian <raffi@twitter.com>
    10 February 2010

    You might also like