Accessing User Profile

Now that the application has been issued an access token, it can use that token to make authenticated API requests. We'll explore how that is accomplished in this chapter.

Passport now makes a request to the Twitter API, in particular the /account/verify-credentials.json endpoint, which returns data about the user's account:

GET /1.1/account/verify_credentials.json HTTP/1.1
Host: api.twitter.com
Authorization: OAuth oauth_consumer_key="cChZNFj6T5R0TigYB9yd1w",
  oauth_nonce="MCMqk9QRZcPG1CrfJbPtD9HuMvm8vSXb",
  oauth_signature_method="HMAC-SHA1",
  oauth_timestamp="1682559265",
  oauth_token="7588892-kagSNqWge8gB1WwE3plnFsJHAZVfxWD7Vb57p0b4",
  oauth_version="1.0",
  oauth_signature="XXXXXXXX"

The parameters for this request are conveyed in the Authorization header. Let's examine them.

  • oauth_consumer_key: Identifies the application to the service provider. This is assigned when registering the application with Twitter.

  • oauth_nonce: A random string uniquely generated by Passport for each request, used to help prevent replay attacks.

  • oauth_signature_method: The signature method used to sign the request.

  • oauth_timestamp: The number of seconds since January 1, 1970 00:00:00 GMT.

  • oauth_token: The access token.

  • oauth_version: The version of OAuth used to authorize the request, set to "1.0".

  • oauth_signature: A cryptographic signature used to authenticate the request. Passport computes this automatically using the application's consumer secret and the access token secret.

Note that the access token that was just issued is being used as a credential in the Authorization header along with a signature. The signature is computed using the corresponding access token secret (as well as the application's consumer secret). Tokens that require a corresponding cryptographic signature are referred to as proof-of-possession tokens, where knowledge of the secret demonstrates proof that the application is the owner of the access token.

When Twitter receives this request, it verifies that the access token and signature are valid and that the authorization granted permits access to the resource. If so, Twitter responds with information about the user.

HTTP/1.1 200 OK
Content-Type: application/json

{
  "id": 38895958,
  "id_str": "38895958",
  "screen_name": "theSeanCook",
  "name": "Sean Cook"
}

Now that Passport has obtained the user profile, it can authenticate the user.

SEARCH FOR STRATEGIES

0STRATEGIES