Professional Documents
Culture Documents
This serves as an example of how OAuth identification for the user. In the workflow diagrammed below,
delegation could work, In this example, a user has Tweetie makes a call to TwitPic with the appropriate
authorized Tweetie, and would like to use TwitPic to parameters, and also passes an OAuth authorization
store photos. The TwitPic API has an endpoint named header signed to Twitter. TwitPic can then call
upload which currently takes image data, and a account/verify_credentials with that header.
Twitter username and password. When Tweetie Twitter verifies the delegated identify verification
currently calls this endpoint, TwitPic presumably calls request, and TwitPic can then save the image, and
Twitter to verify the credentials before saving the photo return the image's URL to Tweetie.
1. Request (C to D)
POST upload (protected resource, PR)
⁃ Includes image to store
⁃ Includes x_auth_service_provider to specify who
to authenticate against (SP's base URL - e.g. http://
twitter.com/)
⁃ Includes x_verify_credentials_authorization
parameter which is the Authorization header that C
would have sent to SP if calling account/
verify_credentials directly
Consumer (C)
Delegator (D)
response if successful
1. Request (C to D)
POST upload (protected resource, PR)
⁃ Includes image to store
⁃ Includes x_auth_service_provider to specify who
to authenticate against (SP's base URL - e.g. http://
twitter.com)
⁃ Includes x_delegator to specify D's unique name with
respect to SP (e.g. TwitPic)
⁃ Includes x_verify_credentials_authorization
parameter which is the Authorization header that C
would have sent to SP if calling account/
verify_credentials directly (both
x_auth_service_provider and x_delegator, of
course, should be part of the signature base string)
Consumer (C)
Delegator (D)
⁃ Has consumer token/ ⁃ Has the protected
secret for SP resource PR
⁃ Has Twitter access ⁃ Has consumer token/
token/secret for U secret for SP
the presence of
Service
x_verify_credentials_authorization
⁃ Verify the nested signature in
x_verify_credentials_authorization
⁃ Make sure that the name of D matches x_delegator
⁃ Return 2xx if valid, else return error
⁃ Twitter will also include the <user> object with the
response if successful
OAuth 1.0a Echo Restricted - Identity verification delegation (draft example workflow)
Raffi Krikorian <raffi@twitter.com>
10 February 2010