Generic OAuth Library C#

Question

What i am Trying to do:

Write a Generic Library in C# to handle OAuth Flow to every service ( Just like Twitter,LinkedIn and Foursquare). The hardest part is that, i want to simulate all the user input in code so that no user action is needed to click on buttons like "Ok,I will Allow It",or even writing its username/password.

Doubts That i have so far:

1 - Whats the usage of the authenticity_token in twitters API ?

2 - What are the factors that all services use, so that i can implement a generic usage of OAuth Flow. For example i´ve found the first Step is really easy to make a Generic method to execute. All i have to do is change the URL for the webRequest,and BAM, i have the Request tokens.

3 - How do i Get the Verifier for each service? In LinkedIn Service for instance, i was able to parse a page to fetch this value, but i can't find this verifier for twitter API for example. Even when authorizing in browser my aplication, i see no Verifier in any HTML during the flow, or any JavaScript generating it.

Observations:

1 - I know that there are Lots of OAuth Libraries out there, like this or that ones, but there is no Library that allows me to make what i want to, that is to Authenticate and authorize a user, without prompting for any user input.

2 - I can't,by any means,ask for user input. All the values like username and password for the authentication, will be hardcoded and every user will use the same account for this requests.

3 - I also know, that there are other posts here that i've written, with almost the same doubts, and the reason i am resposting is to try to make it clearer and fresher.

4 - Sorry about any english mistake or missunderstanding of concepts in advance.

Basic Code Sample:

This is, for instance, the method i am using (that is avaible widely abroad the web) for getting request tokens for any service. All i have to do is change the REQUEST_TOKEN value to the specific url to be used for a service,so i can get the Tokens for LinkedIn,Twitter or Foursquare for instance. But i can't manage to apply the same process in the other steps.

public string AuthorizationLinkGet()
    {
        string ret = null;

        string response = oAuthWebRequest(Method.GET, REQUEST_TOKEN, String.Empty);
        if (response.Length > 0)
        {
            //response contains token and token secret.  We only need the token.
            NameValueCollection qs = HttpUtility.ParseQueryString(response);

            if (qs["oauth_callback_confirmed"] != null)
            {
                if (qs["oauth_callback_confirmed"] != "true")
                {
                    throw new Exception("OAuth callback not confirmed.");
                }
            }

            if (qs["oauth_token"] != null)
            {
                ret = AUTHORIZE + "?oauth_token=" + qs["oauth_token"];
            }
        }
        return ret;
    }

Answer 1

Don't.

OAuth was designed to require a user to press that button once. If you automate it you will have your application key revoked and your program will no longer work.

What you need to do is save locally the authorization token and reuse that. The user clicks"I Allow" once then you re-use the authorization token for future connections. You need to check to make sure it is not expired, and if it is you just re-authorize and they click "I Allow" again.

No website doing OAuth correctly will allow you to bypass the website authorization, some will allow you to pass the username and password via a query and get a token, but if they have a web authorization, you MUST have the user manually do it.

If you are the OAuth provider and consumer you need to do something Dropbox did for their v0 of the API (I can't find any links to their old API, if anyone can find it edit this post) that passed the username and password to a special address that returned a autorization token without using a webpage. Or you need to use a different authentication scheme than OAuth.