Call to authorize endpoint whith headers always force to login. Is it normal?


#1

Hi,

I’ve been playing with the Twitter API for a while, and obviously have been using OAuth too.

As I always work with desktop like applications, I first chose to use query string based params.
But now, I want to work with headers. So I re-wrote my personal lib (AS3) to deal with this kind of request.

In order to make everybody fully understand my question, let me give you some details:

In the oauth flow, there are 4 possible endpoints types :

  • request token endpoint
  • authorize endpoint
  • access endpoint
  • API methods endpoints.

All of these 4 endpoints work fine with headers based requests, but for the second one (Authorize), I’m always forced to re-enter my Twitter credentials,
If I try this endpoint with query string based params, if a previous session is still valid, I’m not forced to re-enter my Twitter credentials,

I thought the problem comes form my code, but my lib works fine for all the 4 possible endpoints types on other API using OAuth 1.0a, like Vimeo,Flickr,Tumblr. (just testes these 3 ones)

Is it something specific to your oauth implementation ?

I read this ; “https://dev.twitter.com/discussions/204” and check all requirements. Nothing .
I checked I don’t repeat oauth_params between params and headers too, still nothing better

Any clue ?

Regards,

Phiphou


#2

Hi Phiphou,

The oauth/authorize or oauth/authenticate steps are a little different than the programmatic steps. This endpoint is meant to be used in a web browser with the oauth_token parameter being the only OAuth-related identifier used – passed on the query string. The user context for the page will be determined on an existing cookie-based session, if it exists. Probably by including the OAuth via header on this page, you’re canceling out the session-based auth.


#3

Taylor,

Thank you for your quick answer.

I use the HTML component that Adobe AIR offers for desktop apps, and not a “real” web browser. This could explain this behavior.

But what I don’t understand is why the same works fine with Vimeo or Tumblr witch seems to use cookie based sessions too ?

I understand you can’t reply on Adobe AIR and other API than Twitter, you already let me know there’s nothing “special” in the Twitter OAuth implementation.

I just checked http://tools.ietf.org/html/rfc5849 and realize that the provided example doesn’t use headers in the authorize step.

Anyway, I’m going to do more tests and let you know if I find interesting things. Not really important, but I like to understand by myself and want to know where is the “trick”.

To be continued…