Taylor, We're definitely going to make it very clear when you opt-in that you're linking your account to an outside service. Glad to hear the exchange of xAuth tokens from our app to the server won't be a problem.
Thanks for the clarification! Rufo On Mon, May 24, 2010 at 12:30 PM, Taylor Singletary <taylorsinglet...@twitter.com> wrote: > Hi Rufo, > The best way to approach this scenario is that you would: > A) Collect access tokens through xAuth on your iPhone application. > B) Using some secure means, you would transmit the access token to your > server-side application, associating them with the user > C) For new users to your site who aren't already associated through xAuth > on your iphone application, you would use the standard OAuth flow to obtain > an access token > The key takeaway is not to surprise your users. If it isn't clear that by > signing in on the iPhone it will also create a server-side integration on > your website, it should be. Take care in making sure that access tokens > don't "bleed" in that it's not possible for a user to use an access token > belonging to another user. > Taylor Singletary > Developer Advocate, Twitter > http://twitter.com/episod > > > On Mon, May 24, 2010 at 8:45 AM, Rufo Sanchez <r...@rufosanchez.com> wrote: >> >> I'm currently developing an iPhone app that interfaces with Twitter. >> On initial purchase and setup, the application would function >> completely independent of our service, interacting directly with >> Twitter, and can continue to be used without our service. This is the >> typical use case of xAuth, so no problems here. >> >> However, if the user chooses, our server will monitor Twitter on >> behalf of the user for the purpose of sending push notifications. This >> choice would be opt-in, obvious in function and be described clearly. >> >> For the best user experience, I'd like to be able to just pass the >> OAuth tokens to the server for its use, rather than requiring the user >> to go through an additional round of authentication. Is this >> acceptable, or would I need to force the user to go through a round of >> OAuth authentication? >> >> I tried to research this a bit, but didn't see anything that directly >> addresses this issue. Thanks for any advice! >> >> Rufo > >
