User information could be sent together with the OAuth access token and secret (when exchanging the request token for an access token). At that point the user's identity has been firmly established. HTTPS could be used here, to keep the user information private and credible.
On Apr 23, 2:38 pm, Matt Sanford <m...@twitter.com> wrote: > Hi there, > > I totally forgot about that change. Since the oauth callback is > unsigned it was too easy to forge that data. I'm trying to find a good > way to include it but right now calling verify_credentials is the best > work around. > > Thanks; > – Matt Sanford / @mzsanford > Twitter API Developer > > On Apr 23, 2009, at 02:31 PM, mikehar wrote: > > > However, the callback no longer contains the user info. Why did this > > change? > > > You can get the user info by calling account/ > > verify_credentials.format.
