4

I'm working on an iPhone app that uses xAuth to login to Twitter. The app also communicates with my own web service. Rather than maintain a user model inside the web service, I'd like to just allow anyone who's already authenticated via Twitter to make requests.

The high-level use case is this: the user logs into and interacts with Twitter through the app. They can also interact with my web service through the app. The web service itself never interacts with Twitter. Instead of maintaining a separate authentication system on my side, I'd like the server to say "OK, if Twitter says you're @joshfrench then you can have access."

I'm not sure how I should validate requests on the server side, though. How would I pass some proof of authentication from the mobile client to my web service? Can I send along the existing Twitter token and verify it from the server? Or somehow sign the request with my Twitter app's credentials? Is this even a valid use of OAuth?

Josh French
  • 973
  • 1
  • 6
  • 12

1 Answers1

1

If you store your twitter app key and secret on both he iphone app and your server, and then somehow transmit the user's oauth token (also called "access token") key/secret from the iphone app to the server, then you can do the same type of api calls from the server.

consumer = OAuth::Consumer.new(app_key, app_secret, …)
access_token = OAuth::AccessToken.new(consumer, user_key, user_secret)
response = access_token.get('/stuff.xml')

So, is it Okay to transmit that info from the app to the server? If you do it securely, and it's within the user's expectation for how the app behaves, then it's a perfectly fine use of oauth.

It's possible that it's not allowed by Twitter's terms of service -- I could imagine there being something that says you can't transfer a user's access secret across the network, or some such thing. (total wild speculation, I don't think it's particularly likely that that's the case)

John Bachir
  • 22,495
  • 29
  • 154
  • 227
  • I don't actually need to access Twitter from my server, I'm just interested in re-using some established authentication in place of server-side auth on my end. Wouldn't your suggestion still require a server-side API call to Twitter for the sole purpose of seeing if the provided token is good? The thing I'm actually interested in (validity of token) would just be a side effect of the API call, then. What I'm looking for (I think) is a direct way to verify that an outside provider's token is good, as a way of simplifying authentication on my end. – Josh French Apr 08 '11 at 16:10
  • So you establish the user's twitter identity on the iphone app, and then you want to know if and when you are working with that same user when the iphone app talks to your web service, without making any additional API calls. So you would need to somehow use your app token to verify the validity of the user's token. I don't think that's possible. – John Bachir Apr 08 '11 at 16:18
  • So 1) there's no dedicated OAuth method to do this, even if it does mean a call to the original provider; but 2) I could make a throw-away API call just to test the token? Update your answer & I'll mark it. – Josh French Apr 08 '11 at 16:36
  • yeah but, if you securely transmit a secret from the iphone app to the web app, then that's as good as authentication right there. – John Bachir Apr 08 '11 at 21:28