OAuth Echo - identity verification delegation (draft example workflow

)
This serves as an example of how OAuth identification delegation could work, In this example, a user has authorized Tweetie, and would like to use TwitPic to store photos. The TwitPic API has an endpoint named upload which currently takes image data, and a Twitter username and password. When Tweetie currently calls this endpoint, TwitPic presumably calls Twitter to verify the credentials before saving the photo for the user. In the workflow diagrammed below, Tweetie makes a call to TwitPic with the appropriate parameters, and also passes an OAuth authorization header signed to Twitter. TwitPic can then call account/verify_credentials with that header. Twitter verifies the delegated identify verification request, and TwitPic can then save the image, and return the image's URL to Tweetie.

1. Request (C to D)
POST upload (protected resource, PR) ⁃ Includes image to store ⁃ Includes x_auth_service_provider to specify who to authenticate against (SP's base URL - e.g. http:// twitter.com/) ⁃ Includes x_verify_credentials_authorization parameter which is the Authorization header that C would have sent to SP if calling account/ verify_credentials directly

Consumer (C)

⁃ Has consumer token/ secret for SP ⁃ Has Twitter access token/secret for U

Delegator (D)

⁃ Has the protected resource PR

2. Request to verify identity (D to SP)

POST account/verify_credentials ⁃ Use the x_auth_service_provider value that was passed as the contents of the Authorization header to determine who SP is ⁃ Temporarily store image and make request to Twitter

3. Verify identity (SP to D) Service Provider (SP)
⁃ Authorize the call to account/verify_credentials as a regular OAuth call ⁃ Return 2xx if valid, else return error ⁃ Twitter will also include the <user> object with the response if successful

OAuth 1.0a Echo - Identity verification delegation (draft example workflow) Raffi Krikorian <raffi@twitter.com> 10 February 2010

OAuth Echo Restricted - identity verification delegation (draft example workflow)
This is an extension to the previous workflow in which relay it. To support this workflow, however, the the Consumer doesn't want just any Delegator to verify Delegator must also sign the message before passing his user. Here the identity verification message is it onto the Service Provider. created specifically so only the named Delegator can

1. Request (C to D)
POST upload (protected resource, PR) ⁃ Includes image to store ⁃ Includes x_auth_service_provider to specify who to authenticate against (SP's base URL - e.g. http:// twitter.com) ⁃ Includes x_delegator to specify D's unique name with respect to SP (e.g. TwitPic) ⁃ Includes x_verify_credentials_authorization parameter which is the Authorization header that C would have sent to SP if calling account/ verify_credentials directly (both x_auth_service_provider and x_delegator, of course, should be part of the signature base string)

Consumer (C)

⁃ Has consumer token/ secret for SP ⁃ Has Twitter access token/secret for U

Delegator (D)

⁃ Has the protected resource PR ⁃ Has consumer token/ secret for SP

2. Request to verify identity (D to SP)

POST account/verify_credentials ⁃ Temporarily store image and make request to Twitter ⁃ Use the x_auth_service_provider value that was passed as the contents of the Authorization header to determine who SP is ⁃ Include x_verify_credentials_authorization which contains the value of x_verify_credentials_authorization from the call between C and D ⁃ Sign with D's consumer token/secret

3. Verify identity (SP to D)
⁃ Verify the OAuth call as usual ⁃ Recognize that this is a Echo Restricted call because of the presence of x_verify_credentials_authorization ⁃ Verify the nested signature in x_verify_credentials_authorization ⁃ Make sure that the name of D matches x_delegator ⁃ Return 2xx if valid, else return error ⁃ Twitter will also include the <user> object with the response if successful

Service Provider (SP)

OAuth 1.0a Echo Restricted - Identity verification delegation (draft example workflow) Raffi Krikorian <raffi@twitter.com> 10 February 2010

Sign up to vote on this title
UsefulNot useful