Full OAuth is not possible for desktop/mobile apps which is what I am implementing. The issue is this. After authenticating a request token a verifier is supplied by Twitter to verify that the user allowed access. There are a couple ways to send this verifier code back to the app.
1. For web apps, Twitter redirects to a developer supplied URL with the verifier added in the query string. The app can easily grab the verifier and use it in the request to exchange the request token for an access token. 2. For desktop/mobile apps, there is really no good way to send it back. Twitter offers the oob option which gives the user a pin number that they would have to enter into the app. This pin acts like the verifier. What I am seeing is that this last step of getting the verifier is not necessary. I am able to exchange the the request token for an access token after it has been authorized by the resource owner without passing the verifier pin. What I want to know is whether this is a bug or temporary behavior or this is the expected behavior. The verifier is really not that essential because Twitter already knows the user has authorized the app. The verifier more allows the app to continue with the process of authentication. I would like to hear from the Twitter dev team on what the long term plans are in regards to the verifier. Is it okay to ignore the verifier for desktop/mobile apps? It is working without it anyway. Thanks, @talrahem On Apr 21, 8:35 am, Arnaud Meunier <arn...@twitter.com> wrote: > Hey Ali, > > Out of band / PIN code authentication is just one of the OAuth > authentication flows we are supporting. > Cfhttp://dev.twitter.com/pages/auth_overview > > If your app can handle the full OAuth process, stick to it and forget about > OOB :) > > Arnaud / @rno <http://twitter.com/rno> > > > > > > > > On Wed, Apr 20, 2011 at 10:23 PM, Ali <t.alra...@gmail.com> wrote: > > Hi, > > > I've been experimenting with OAuth authentication with the Twitter API > > for desktop/mobile apps and found out that the verifier pin is not > > necessary. Once the the request token is authorized, I am able to > > exchange it for an access token without providing the pin code. > > > Is this the official expected behavior? I couldn't find any info on > > OOB in the API documentation. It is just barely mentioned and the link > > for more info doesn't work. > > > Is there any documented behavior regarding the verifier pin and > > whether requiring the user to enter the pin is recommended or > > required? > > > Thanks > > > -- > > Twitter developer documentation and resources:http://dev.twitter.com/doc > > API updates via Twitter:http://twitter.com/twitterapi > > Issues/Enhancements Tracker: > >http://code.google.com/p/twitter-api/issues/list > > Change your membership to this group: > >http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
