I got pinless OAuth working on Adobe AIR for Desktop, iOS, but not Android. For some reason, we're not getting the oauth_verifier (which contains the sha'd code) in StageWebView on an Android device. Any clue? Here's the debug for on desktop and on Droid 2; notice the 3rd line in the Droid 2 trace output which is missing all the OAuth variables after the callback URL.
Desktop:
AuthorizeTwitterService::onComplete, data:
oauth_token=De2k4zANjzAhT3hXV4eqOfTVxJsshVIJjgsuwPMUg8&oauth_token_secret=s WsBzyS43nh6DDBwLaogaWpVftoDaiYTJDfBKQE&oauth_callback_confirmed=true
--------------------
TwitterLoginView::onLocationChange
location:
https://api.twitter.com/oauth/authorize?oauth_callback=oob&applicatio...
--------------------
TwitterLoginView::onLocationChange
location: https://api.twitter.com/oauth/authorize
--------------------
TwitterLoginView::onLocationChange
location:
http://www.twitter.com/combovercharlie?oauth_token=De2k4zANjzAhT3hXV4&oauth_verifier=js1B4bAYfUer05a2rlZSDcOLOaIa66q93K24FUzrk
Droid 2:
AuthorizeTwitterService::onComplete, data:
oauth_token=BtwJHbpaS5OWy1AMYdwl0ecGKGpU9AEcyrFYaXQ8&oauth_token_secret=Z2C ff3ECfY5dp8dLLSA9qXvL2SRaZ3v5veStGuA00&oauth_callback_confirmed=true
--------------------
TwitterLoginView::onLocationChange
location:
https://api.twitter.com/oauth/authorize?oauth_callback=oob&applicatio...
Charlie&oauth_token=BtwJHbpaS5OWy1AMYdwl0ecGKGpU9AEcyrFYaXQ8&oauth_consumer _key=LbMYslVau91uSAMZyGsOg
--------------------
TwitterLoginView::onLocationChange
location: https://api.twitter.com/oauth/authorize
--------------------
TwitterLoginView::onLocationChange
location: http://mobile.twitter.com/combovercharlie
I fixed it via Event.COMPLETE for my Droid 2 and Nexus One. I'm not even getting a LocationChangeEvent.LOCATION_CHANGING on my desktop nor Android, but bottom line, Event.COMPLETE does get the oauth_verifier sha'd pin in it. I can parse that out of StageWebView's location property, submit, and I'm good to go. Out of paranoia, I'm leaving all 3 events in there just in case. If you're curious, here's the redirect event differences between OS's via Mark Lochrie: http://kb2.adobe.com/cps/895/cpsid_89526.html.
Also, it's assumed your application is actually registered as a "web application", and not a desktop application, otherwise, you'll be forced to use a pin, and you won't get the oauth_verifier in the response URL. Yes, you can make up a callback URL to whatever you want; just make sure it's a standard URL that hopefully doesn't 404.