Recently, I started writing a twitter app for Android, nothing big, just something to practice making apps with.
That requires some knowledge with OAuth, which twitter, among other websites, uses for authentication.
What differentiates OAuth from the regular path of authentication – using a username and a password – is that the app does not have access to your login credentials, which is good, security-wise, at least.
After a lot of reading, getting lost, reading some more, I managed to understand a little about how OAuth works, it goes something like this:
There’s a protected resource, which is the client data you want access to.
To gain access to this data, you need to be authorized by the user to access such data.
You will need to register with the website to get a “Consumer key” and a “Consumer secret”, those should be kept secret as they identify your application.
This is achieved by obtaining an “Access Token”, this token is a long string that can be saved for later access.
This access token is obtained by using a “Request Token”, those can be obtained by requesting one from the website that currently has the data you’re after.
Once you have a request token, you have two paths of authentication :
- Out-of-band (OOB) Authentication
- Using a verifier
In the first path, you use your request token to get a PIN code, it’s a series of numbers, the user has to copy these numbers and enter them in the application to authorize it.
The second path, which is more common, involves using a string of characters and numbers instead of a PIN code, which is appended to a callback URL specified by the application owner, usually to be extracted by the developer to complete authentication.
You can also read more about OAuth on hueniverse.
Note that some of the information above might be twitter specific, twitter implements the OAuth 1.0a standard, a new standard, OAuth 2.0 is available and in use by Facebook.