“You exchange the request token (leveraging the oauth_token and oauth_token_secret that makes it) with a signed request to oauth/access_token, also containing the oauth_verifier you got in your callback.”
I mentioned this on another thread (https://dev.twitter.com/discussions/9711) but for users of “Twitter for Iphone” htting a url on a tweet, it has become impossible to “leverage the oauth_token_secret” since the app breaks out of UIWebView and into mobile safari when redirecting the user to the /oauth/autenticate url. This is done, I presume, to protect the users from phishing attacks, given that the UIWebView does not display a URL bar. But, since the UIWebView and the Mobile Safari sessions are not the same, when the user finally hits the site’s callback url, it is impossible to check that the oauth_token matches the one originally given, or to sign the request to oauth/acces_token with the oauth_token_secret. I have found two ways around this issue, they are mentioned in the above linked thread. One diverges from the oauth spec and the other is just plain ugly, it wold be helpful to know if the differences from the spec are intentional and if that is the recommend pattern for getting around the issue. thanks.
