So, over the past few weeks a pet project of mine has been an Android app for the growing website, Formspring.me. Granted, I have no interest in this site at all – I just thought their API looked easy to grind my teeth on. Regardless, when I start a project, I hate to leave it unfinished. Unfortunately, that may be what I have to do in this case.
Formspring.me has decided to use OAuth for their user authentication. OAuth made it big when Twitter revealed it as their method of authenticating 3rd party twitter applications. It’s actually a pretty great system. It allows someone to write a program that can interact with your account without the program having to store your password. Unfortunately, Formspring’s implementation appears to be messed up. Maybe if I describe the problem I’m having one of you geniuses out there can help me out (because Formspring support sure doesn’t seem to care).
Authentication with OAuth is a two step process. First you declare the intent to authenticate by retrieving a “request token”… then you redirect the user to their browser where they are asked if they want to give your application access to their data. If they click “allow” then they get a PIN to enter into the program. If the PIN they enter into the program matches the PIN the website gave them, the request token is upgraded to an “access token” and that access token gives the application all the rights the user has. Then you store this access token in memory for the next time they open up the program. However, since places like Twitter and Formspring want to limit exactly what applications can access their API, there are also two other numbers in play: the “consumer key” that is used to uniquely identify your application and the “consumer secret” that is used to sign all messages coming from your application.
Currently, my program makes it all the way though the first step of authentication. It sends the user to the browser where they click “allow” and then they get a PIN. Then, when the user goes to enter their PIN into the program and they click “Authrize” to complete the process the Formspring server sends back the following message: “Invalid Consumer Key”. This has had me banging my head against the wall for awhile. Mostly because I can’t explain how a consumer key that is good for the first step of authentication doesn’t work for the second step. It’s just silly.
So, in all honesty – are there any suggestions from the audience on this one? Help would be appreciated.