OAuth Callback procedure for mobile devices

littleK picture littleK · Jan 23, 2010 · Viewed 8.6k times · Source

I am designing a Netflix Application for BlackBerry mobile devices. I am currently working on the OAuth. I am at the point where I can generate a Netflix login page in an embedded browser field in my application.

After the user signs in, Netflix will send the user from the login page to a specified callback url. The callback url will also contain an authorized token, which is then needed to send back to Netflix.

My question is: How am I supposed to do this on a mobile device? Is there a procedure set in place? I am unsure how I can extract the authorized token from the callback URL and send it back to my application. From my research, it does not appear that Netflix will provide a PIN/verifier for the user to then type into the application...

Does anyone have any ideas?

Thanks...

Answer

Paul Osman picture Paul Osman · Jan 23, 2010

There are two ways to deal with callbacks on mobile devices. The first is to set the value of oauth_callback to 'oob'. This is done if your device is unable to receive callbacks. See the OAuth spec, section 2.1:

Temporary Credentials

Using 'oob' should cause the server (Netflix) to display a verification code that the user then types into your application to authorize the request token.

The second way, if your device supports it, is to use a custom URI scheme. I know that on iPhones, you can register a callback with a custom scheme that is assigned to your application. Is there a way to do this on a BlackBerry? If so, I'd use this approach as it's a much better user experience.