All geek questions in one place

Twitter OAuth Flow - Vaguely about oob / 3-legged auth and shared stream, don't need a PIN?

Continued: Setting up Twitter OAuth without third-party libraries

Thanks to Mr. Nylander, I managed to get my OAuth class (although after a long time)! However, I am confused by several aspects of the oAuth stream.

Here is a breakdown of what happens in the program I did:

== edit, I think I will send a partial code, it is difficult for me to explain only the words for me ==

//1st code segment HttpWebRequest request = (HttpWebRequest)WebRequest.Create("https://api.twitter.com/oauth/request_token"); string response = ""; HttpWebResponse resp = (HttpWebResponse)request.GetResponse(); using (StreamReader reader = new StreamReader(resp.GetResponseStream())) { response = reader.ReadToEnd(); }

Up to this point I can get a response successfully.

Answer → oauth_token = asjndiqufh9uf & oauth_token_secret = oinroiqurhwunwer & oauth_callback_confirmed = true

 //2nd code segment Process proc = new Process(); proc.StartInfo.UseShellExecute = true; proc.StartInfo.FileName = "https://api.twitter.com/oauth/authenticate?" + response; proc.Start();

This leads the user (me) to a page where I have to choose whether I want to authorize it or not. If I agree, I will be taken to the PIN page.

 //3rd code segment Console.WriteLine("Enter the PIN"); string pin = Console.ReadLine(); baseString = generateBaseString("POST", "https://api.twitter.com/oauth/access_token", oauth_token); oauth_signature = generateSignature(baseString, oauth_token_secret); HttpWebRequest request2 = (HttpWebRequest)WebRequest.Create("https://api.twitter.com/oauth/access_token"); request2.Method = "POST"; request2.Headers["Authorization"] = generateAuthorizationHeader(oauth_token); string response2 = ""; HttpWebResponse resp2 = (HttpWebResponse)request2.GetResponse(); using (StreamReader reader = new StreamReader(resp2.GetResponseStream())) { response2 = reader.ReadToEnd(); } Console.WriteLine(response2); }

In the code, it simply asks for the PIN to be entered into the application, and then the final oauth_token and oauth_token_secret file is returned in response2 for the fully working oAuth application. (tl; dr - at the moment the application already has ALL the toners he needs)

-If I NOT logged in during the second code segment, regardless of whether I find the PIN code or not, I get a 401 Unauthorized error, I assume this is expected.

-If I logged in in the second segment of the code and was redirected to the PIN page, but then did NOT choose NOT to enter the PIN code or enter the wrong PIN code in my application, I still get successful authentication and can get the final one without any either problems. What for?

-Am, am I doing 3-legged oAuth or OOB oAuth?

Why do I need a PIN?

-How should I use the PIN correctly (if I need it)?

-How should I authenticate without a PIN (if I do not need it)?

-How can I make sure that users do not always see the PIN page after authentication once? I can put the callback in the very first request, but what if I don't want the user to be redirected to any page at all?

+3
source share
1 answer

Am I doing three-legged oAuth or OOB oAuth?

You do both. 3-legged means that you are attracting a user, 2-legged is a business for business or a service for maintenance. OOB (out of range) means that you automatically start a PIN-based authentication scheme. This basically means that you say that you cannot get the normal oauth_verifier parameter without manually entering the PIN as the user.

Why do I need a PIN?

You get a PIN because you specify your callback as OOB. If you set up a real callback, you can instead get the oauth_verifier directly into your application.

How should I use the PIN correctly (if I need it)?

You use it in the next step when you exchange the request token for the access token, which you pass in the request as oauth_verifier.

How can I authenticate without a PIN (if I do not need it)?

Do you need a PIN, or if you are using a real callback, oauth_verifier. This is the same thing, the only difference is that the PIN code is printed on the screen so that the user can copy it into your application, while oauth_verifier is automatically selected by your application.

How can I make sure that users do not always see the PIN page after authentication once? I can put the callback in the very first request, but what if I don't want the user to be redirected to ANY page at all?

You are using a real callback that intercepts and uses oauth_verifier.

-If I logged in in the second segment of the code and was redirected to the PIN page, but then did NOT choose NOT to enter the PIN code or enter the wrong PIN code in my application, I still get successful authentication and can get the final one without any either problems. Why?

It just can't be true. There must be a good reason for this, maybe your application already has an access token and just uses it?

+4
source

Source: https://habr.com/ru/post/916275/

More articles:


All Articles