PIN-based authorization
PIN-based authorization
The PIN-based OAuth flow is a version of the 3-legged OAuth process and is intended for applications that cannot access or embed a web browser to redirect the user after authorization. Examples of such applications would be command-line applications, embedded systems, game consoles, and certain types of mobile apps.
PIN-based OAuth flow is initiated by an app in the request_token
with the oauth_callback
set to oob
. The term oob
means out-of-band OAuth. The user still visits X to login or authorize the app, but they will not be automatically redirected to the application upon approving access. Instead, they will see a numerical PIN code, with instructions to return to the application and enter this value.
Note: The callback_url
within the X app settings is still required, even when using PIN-based auth.
Implementing the PIN-based OAuth flow
The PIN-based flow is implemented in the same way as 3-legged authorization (and Sign in with X), with the following differences:
-
The value for
oauth_callback
must be set tooob
during the POST oauth/request_token call. -
After the user is sent to X to authorize your app using either a GET oauth/authenticate or GET oauth/authorize URL, they will not be redirected to your
callback_url
, instead they will see a screen with a X generated ~7 digit PIN with directions to enter the PIN into your applications name. -
The user enters this PIN into your application, and your application uses the PIN number as the
oauth_verifier
in the POST oauth/access_token to obtain an access_token.
Note: PIN numbers are not reusable, and the access_token
obtained should be used for application-user requests.