Feb 9
A proposal for delegation in OAuth identity verification, take two
It's only been up for a few hours, but there has already been a series of great comments on "A proposal for delegation in OAuth identity verification" both on mehack and on the Twitter Development Talk mailing list. Just to remind people about the problem:
You're an OAuth enabled Twitter client, and you've already authorized your user. You user wants to use a media providing service like TwitPic. TwitPic, currently, asks for the username and password of your user so it can store the photo on behalf of the Twitter user. You don't have that username and password, so how do you give the ability to TwitPic to verify the identity of your user?
Again, we want to make it really easy for any site to verify a user's identity. What we're proposing is a very simple workflow, and that's sketched out in the attached diagram. The main difference is that the call from the Consumer to the Protected Resource now includes the Authorization header that the Consumer would send to Twitter if it were to call account/verify_credentials directly — the Delegator can use that header to call account/verify_credentials instead. This solution is simple and it means that Twitter has no idea what calls are being made on the Delegator.
Please help me continue to poke holes in this. And, while you're at it, help me by suggesting a different term for "Delegator". Like I mentioned before, once I think we've come upon the best solution, I'll write this up more formally, as well as port it to OAuth WRAP/2.0 (where Twitter is headed).
Thanks so much for all the comments already (especially thanks to @h__r__j and Brian Smith) and keep them flowing.
