facebookzend-frameworktwitteroauthdigg

Digg.com style oauth


I've been trying to figure out exactly how digg.com and other similar sites deal with authentication via oauth. Creating an account via oauth is pretty straight forward, the user clicks the twitter/facebook connect button which then digg sends our a secret and if everything works, this secret is returned and gets stored as the access token.

However, how does authentication work this way? When I click on the login via twitter button for example, a random secret is being sent to twitter. Does twitter instead return the prior access token or does digg get the twitter user id for example, compare it to a stored value in the db and then uses the stored access token from there?

For example: 1. user clicks login via twitter. 2. a secret is sent, twitter does some processing and returns info such as username/id/etc... 3. based on one of these return values, the db is polled and the user rows are loaded, authentication succeeds.

Am I way off on this? Can someone please enlighten me?


Solution

  • The following is based on Workflow provided by hueniverse:

    User clicks on login through Twitter.

    Digg requests from Twitter a Request Token (not User-specific, can be used by Digg to gain User approval from User to access User's information).

    Digg receives the Request Token and redirects User to the Twitter OAuth User Authorization URL with RequestToekn and asks Twitter to redirect User back once approval has been granted.

    OAuth requires that Service Providers (Twitter) first authenticate the User, and then ask them to grant access to the Consumer (Digg).

    User enters username and password (if User has not logged in).

    Twitter informs User of who is requesting access (Digg) and the type of access being granted. (I am not familiar with Digg, so take Stack Exchange as another example, it only asks for access to username.)

    User approves.

    Twitter marks the Request Token as User-authorized. User's browser is redirected back to Digg.

    Digg uses the authorized Request Token and exchanges it for an Access Token (used to access Protected Resources. In case of Stack Exchange, username, though it sounds a little bit weird).

    Digg is logged in through Twitter.

    Here is an unofficial picture by me: enter image description here


    Above is based on the the Official Guide to OAuth 1.0, but according to Introducing OAuth 2.0:

    OAuth 2.0 is a completely new protocol and is not backwards compatible with previous versions. However, it retains the overall architecture and approach established by the previous versions, and the same introduction (from the Official Guide to OAuth 1.0) still very much applies.