Questions on OAuth v2.0

dietmarja · 2015-05-19T10:25:43.746Z

I have two questions on OAuth in connection with the use of Twitter APIs

Is OAuth v1 completely superseded by OAuth 2.0?
Or is OAuth v1 still in use in some way or another in connection with Twitters APIs?
The OAuth 2.0 spec talks about resource owner/end-user. Say, I am using
the REST or the streaming API not via a 3rd party app but via a 2nd party (self-developed) app
programmed in R. Who is the resource owner then? My reading of the OAuth 2.0 spec is that
its me who is the resource owner - but that would be inappropriate
because I certainly do not “own” the Tweets harvested via one of
Twitter’s public API.

andypiper · 2015-05-19T11:59:37.221Z

Currently the Twitter API uses OAuth 1.0A for the majority of access calls. You can learn more about that here in the developer docs.

The only area where OAuth 2.0 principles are partially implemented is in the client credentials grant of the application-only authentication flow.

dietmarja · 2015-05-19T20:16:51.867Z

Thank you andypiper very much. This clearly answers the first question.

Still, who is the resource owner, when I using the Streaming or Rest API?
Both the spec of OAuth v1 and OAuth v2.0 use this concept.

I have the hunch that my problem with this concept of a resource owner might
be down to the fact that the specs of both OAuth 1 and 2.0 do and can not
consider the many possible ways to use this authorization framework.
So the terminology does not really reflect the actual use of OAuth. For instance,
both specsonly talk about 3rd party apps. However, when I use the REST or
streaming API of Twitter, I develop an app for me, and thus a 2nd party app, right?
A similar misfit might apply to resource owner.

What do you think?

andypiper · 2015-05-21T20:05:21.391Z

I’m unclear on what you’re asking about really - we have a Developer Policy which covers ownership of data on Twitter. I don’t think there’s a particular need to worry about it from an OAuth perspective? Can you explain more?

dietmarja · 2015-05-24T17:21:52.683Z

andypiper:

I’m unclear on what you’re asking about really

Of course I fully respect the legal side of things as specified, e.g., in Twitter’s developers policy.
I just want to understand the OAuth 1.1a flow deployed by Twitter better. And in this context my
my question is simply:

Who is the resource owner when one of Twitter’s public APIs is used?

andypiper · 2015-05-26T13:57:26.955Z

If the OAuth flow you are using involves a user token, I would interpret that end-user as granting access to the resource, and therefore being the resource owner. If you are using application-only authentication, I think it would be the application’s token granting access to the resource, and therefore the application would be the resource owner.

I’m basing this on the Stack Overflow discussion here - I am not an expert on the OAuth spec.