On 4/17/09 2:51 AM, Abraham Williams wrote:
They correct flow is:
1) get request token from twitter.
2) send user to twitter with oauth_token for the first time.

Send the user to Twitter how, though? oauth/authorize? How do you know if this is the user's first time or not?

3) user returns and app uses request token to get user access token
which get stored.

This is fine, unless the user returns with an access token and not the original request token. This is what currently happens with oauth/authenticate.

4) user come back to site to sign in and is not signed in.
5) site gets request token from twitter.
6) user is sent to twitter with request oauth_token and are
automatically redirected back to site.
7) access oauth_token is returned with user which can be matched with
oauth_token_secret stored in the database.

This would work fine, assuming in step #2 you had some way of knowing whether a Twitter user had never previously OAuth authorized your app.

--
Dossy Shiobara              | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network   | http://panoptic.com/
  "He realized the fastest way to change is to laugh at your own
    folly -- then you can let go and quickly move on." (p. 70)

Reply via email to