Well, it took me quite a long time to understand how this oAuth authentication procedure works, so I will explain what I learned about:
Since August 31 , 2010, Twitter's servers doesn't allow anymore the "Basic Authentication Mode", in other words, any client or simply cURL statements were capable of send information and then update the status, get timeline or send private messages. Clients apps were those responsables for the user/password handling and their respective responsibility: if an app could be hacked or the credentials management weren't good enough, that information could be broadcasted to third parties and arrive to undesirable hands.
That's one of the main concerns that oAuth take away from users, because with this new way of authentication, user is not giving their password information directly to the client app, instead they just accept one app should communicate with Twitter in theirs behalf. The following image should explain better:
Ok, that's right, it doesn't help that much, but step by step we are going to cover its function:
1.- The User downloads a Brand New and Fashion client from internet.
2.- After long waiting hours, it finishes and he proceeds to install it.
3.- Because this new app uses oAuth, once the user tries to sign his user/password, the app behaves different, trying to connect to Twitter's servers seeking for the "Request Token". This is just a simple HTTP POST request including information about the app with values provided by Twitter (aka Consumer Key and Secret Key). In order to get that pair of values, the app would had registered within Twitter API
4.- Twitter is aware that one application is trying to connect in behalf of someone, then it reply back with information that able the user grant authorization to their information and the ability act like a lawyer for the user. To complete this step, the user must login into his Twitter account, before is prompted a PIN code (7 digits) generated automatically and then go back to the application and enter that code.
5.- With the PIN code, the App makes another request, now asking for the Access Token, composed with its Consumer, Secret, Pin Code and Token values (yeah I know it's too complicated). If everything goes right, Twitter answers to the app with an unique Authorization Key values that relates that user with that app exclusively, so it can't be used anywhere.
6.- Finally, the user is able to post that he is fashion once again and keep in contact with his friends.
Ok, it's a long road that must be walked to simply get Twitter information, on the other hand this offer more safety to users accounts and reliability to services, granting access only to those know apps.
The next post will be about Mittratter, a simple desktop client for MacOSX. More information about:
Twitter API
oAuth
Beginner's Guide to oAuth
No comments:
Post a Comment