OAuth エコーは OAuthです。 OAuth エコーでは xAuth は必要ではありません(これらのヘッダが x_* となっていますが惑わされないでください、これは単にカスタムHTTPヘッダを定義する際の標準的書式なだけです)。
There are four parties involved in this interaction:
Essentially, you will be preparing a request for the delegator to send to the Twitter API on your application and user’s behalf. You’ll be sticking what would otherwise be a signed OAuth request into an HTTP header and asking the delegator to send that request to Twitter after completing the intermediary operation.
So, let’s go: the User wants to upload a photo. The Consumer is going to call upload on the Delegator with a POST. このPOSTには画像を含める必要がありますが、HTTPヘッダに追加で二つの項目を含める必要もあります:
X-Auth-Service-Provider— effectively, this is the realm that identity delegation should be sent to — in the case of Twitter, just set this to
https://api.twitter.com/1/account/verify_credentials.json. iOS5-based Twitter integrations will add an additional
application_idparameter to this URL that will also be used to calculate the oauth_signature used in
X-Verify-Credentials-Authorization— Consumer should create all the OAuth parameters necessary so it could call
https://api.twitter.com/1/account/verify_credentials.jsonusing OAuth in the HTTP header (e.g. it should look like OAuth oauth_consumer_key=”…”, oauth_token=”…”, oauth_signature_method=”…”, oauth_signature=”…”, oauth_timestamp=”…”, oauth_nonce=”…”, oauth_version=”…” ).
Keep in mind that the entire transaction period needs to occur within an amount of time where your oauth_timestamp will still be valid.
Alternatively, instead of sending these two parameters in the header, they could be sent in the POST as
x_verify_credentials_authorization — if you do this, then remember to escape and include the parameters in your OAuth signature base string — similar to how you would encode parameters in any request. It’s best to use HTTP headers to keep the operations as separate as possible.
The Delegator’s goal, at this point, is to verify that the User is who he or she says he or she is before it saves the media. Once the Delegator receives all the data above via its upload method, it should temporarily store the image, and then construct a call to end point specified in the
X-Auth-Service-Provider header — in this case,
https://api.twitter.com/1/account/verify_credentials.json, using the same OAuth authentication header provided by the Consumer in the
Please note that one should use the URL provided to them by
X-Auth-Service-Provider to perform the look up, not a hard coded value on your servers. Apple iOS5, for example, adds an additional application_id parameter to all OAuth requests, and its existence should be maintained at each stage of OAuth Echo.
For the OAuth authorization portion, it should take the header value in X-Verify-Credentials-Authorization, and stick that into it’s own Authorization header for its call to the service provider. For good measure, you should also confirm that the value in
X-Auth-Service-Provider is what it should be.
You can read @raffi’s original proposal for OAuth Echo.