Cannot authorize with iOS app any longer


#1

Using SA_OAuthTwitterEngine, we no longer get an access token (the box is blank). Just started happening, so that when the web dialog returns after entering the username and password to authorize the app, the webview is blank. You can see, before getting a blank page, that the usual token key div or box is now blank, where it used to display the token key that we would grab from the web page to use in the app.

We have reset the parameters for the Twitter app used, made sure it is read and write, made sure the callback url is a valid url (although this has never mattered in the past), etc.

Tried both https://api.twitter.com/oauth/request_token and http://twitter.com/oauth/request_token

Anyone else having this problem?


#2

I’m not familiar with this library, can you explain a bit more about how it interacts with OAuth? You’re using some words here that don’t really jive with OAuth: a token or key should never be present in any kind of “div” or “box” – what’s the usual sequence of events here? Are you doing some kind of page scraping?

If you’re using callback-based OAuth, the sequence should be:

a) You ask for a request token
b) You send the user for authorization
c) They get sent to the oauth_callback you specified in step a
d) You exchange the request token for an access token using the oauth_verifier you got in step c

If you’re using out-of-band based OAuth, the sequence should be:

a) You ask for a request token
b) You send the user for authorization
c) The user sees a PIN code
d) You present a UI to the user to ask for that PIN code
e) You exchange the request token for an access token using the PIN value from the user as your oauth_verifier


#3

sorry, yes I meant PIN. The PIN is displayed and I scrape that PIN from the screen. That PIN is no longer displaying.


#4

I’m not sure what may have changed for you in this area, but it may be beside the point – scraping the PIN code is seen as circumventing the OAuth flow and puts into question your application and any access tokens it has ever issued. The intention of out-of-band mode is for the end-user to hand-enter the PIN code to prove the line of causality. In iOS, it’s far more typical to use a custom OAuth callback with a custom URI scheme instead of your approach.

I recommend altering your flow to proper OAuth as soon as you possibly can.


#5

@jffster, I recommend that you send me an email so we can discuss this further: Can you send me an email at episod@twitter.com with some more details about your application and how you’ve implemented OAuth? Thanks!


#6

.