Here’s the outline how Android can do that for Google:
- call getAuthToken(… “oauth2:https://www.googleapis.com/auth/userinfo.profile” …)
- that returns an access_token that’s 52 bytes long, beginning with ‘ya29.’
- HTTPS POST that token (with no other keys or secrets) to our website
- our website hits https://accounts.google.com/o/oauth2/tokeninfo?access_token=�cess_token%
- that returns JSON containing the user id.
That’s all mutually secure, yet it allows our website to accept data from an Android device without wondering who really sent it. See:
Now my question is how to do all that with Twitter. The only two scopes I can tease out of the documentation are “com.twitter.android.oauth.token” and “com.twitter.android.oauth.token.secret”. I don’t need the secret, or the channel-relative token.
And after I have the access_token, what simple Twitter web URI will return user info for it?