Quick question


Hi, I’m new to OAuth, but not new to programming. I ran the common example code that gives me a url that contains my pin. from there it let’s me authorize access to my account. Here’s what I’m confused about. Do I need to programmatically bring the user of my app to this page to get their own token? Or is this a one time, developer authentication? I’m developing it as a Java app right now, but may want to publish it for others to use in the future.

Does each new user have to go through this same authentication process? Do I need to provide them the authentication link, have them copy and paste the pin, and then save all of this into their own file, which logs them in each time? This is a desktop application as of right now. Thanks for any help, and sorry for the newbie question, I just can’t find a clear answer for this wherever I look.


If you have the capability to open a web browser and intercept / process a redirect, you could try sending oauth_callback and catching the oauth_verifier value off of the redirect. If that’s not possible (sounds like it may not be in this case) then yeah, each user will need to copy + paste the PIN into your application. Then you would store the access token in a way that is associated with the current user and use that to make Twitter requests on their behalf.


Thank you for the quick reply! Ok that clears this up. Is it against any rules to have this application do all of this in the background? Such as, whenever the application loads, I programmatically load the website, prompt the user ‘Click yes to authorize app access’ from within my application, and if they click yes, have my program click authorize, with maybe htmlunit or some of my own code, and then get the html from the page that gives the token, and strip the token directly through there?

I just want it to be as easy as possible for the end user. Would this violate any of the rules, as long as I allow the user to choose that they authorize access?


Yes, that would absolutely be against Twitter’s developer rules of the road. Feel free to launch a browser to the correct URL or provide a hyperlink, but scraping the PIN page requires collecting the user’s screen name and password and makes the whole OAuth flow pointless. Don’t do it.


Ahh you’re right. Sorry, My method would only work if the user was already logged in. If not I would have to ask for their username and password to login and then proceed with the rest of the code. Thanks for clarifying. I suppose make the user copy/paste a token every once in a while isn’t THAT bad haha. Thanks again.


They should only really have to copy and paste one time (unless they revoke the app) so hopefully that’s not too painful :slight_smile:


Just looking for a little clarification here. You said, “…you could try sending oauth_callback and catching the oauth_verifier value off of the redirect…” I am working on a desktop application in Qt that uses a QWebView. In the web view I am opening the authorize page and allowing the user to enter their user name / password. After this I get redirected to a page that has the PIN code. Since I have direct access to the HTML that comes back on the PIN code page, is it okay for me to just have my application pull that PIN out and send it off to get the access tokens? This would make for a cleaner user experience.

Thank you!


No, you cannot do that as it is considered a circumvention of the flow. The reason the user has to manually enter the PIN into your application is to further indicate that there was no automation involved in the authorization process.

You may find yourself better served by registered a custom URI handler in your operating system and using the oauth_callback to redirect to that custom handler instead, skipping the need to display a PIN code interface for the user entirely.


Ah, okay, that’s what I figured. Thank you for the quick reply!