OAuth Echo - identity verification delegation (draft example workflow)
This serves as an example of how OAuth identificationdelegation could work, In this example, a user hasauthorized Tweetie, and would like to use TwitPic tostore photos. The TwitPic API has an endpoint named
upload
which currently takes image data, and aTwitter username and password. When Tweetiecurrently calls this endpoint, TwitPic presumably callsTwitter to verify the credentials before saving the photofor the user. In the workflow diagrammed below,Tweetie makes a call to TwitPic with the appropriateparameters, and also passes an OAuth authorizationheader signed to Twitter. TwitPic can then call
account/verify_credentials
with that header.Twitter verifies the delegated identify verificationrequest, and TwitPic can then save the image, andreturn the image's URL to Tweetie.
1. Request (C to D)
POST upload
(protected resource,
PR
)
⁃
Includes image to store
⁃
Includes
x_auth_service_provider
to specify whoto authenticate against (
SP
's base URL - e.g.
http://twitter.com/
)
⁃
Includes
x_verify_credentials_authorization
parameter which is the
Authorization
header that
C
would have sent to
SP
if calling
account/verify_credentials
directly
S e r v i c e P r o v i d e r ( S P )
⁃
Has
consumer token/ secret for
SP
⁃
Has
Twitter accesstoken/secret for
U
C o n s u m e r ( C )
⁃
Has
the protectedresource
PR
D e l e g a t o r ( D )
2. Request to verify identity (D to SP)
POST account/verify_credentials
⁃
Use the
x_auth_service_provider
value that waspassed as the contents of the
Authorization
headerto determine who
SP
is
⁃
Temporarily store image and make request to Twitter
3. Verify identity (SP to D)
⁃
Authorize the call to
account/verify_credentials
as a regular OAuth call
⁃
Return 2xx if valid, else return error
⁃
Twitter will also include the
<user>
object with theresponse if successful
Leave a Comment