Search

Twitter API & OAuth 101 TVUG October 2009

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

0 comments

Post a comment

    Post a comment
    Embed Video
    Edit your comment Cancel

    Notes on slide 1

    Who’s heard of Twitter? Who has at least one account? Who’s been using it longer than a year? Who uses a third-party app like Tweetdeck?

    Brainstorming event while Jack was at Odeo in 2006, started as internal service; really broke out at 2007 SXSW. Working name was “Status,” “twitch” was a suggested production name, but it wasn’t quite right for some people. Twitter was the word below it in the dictionary; “twttr” was the original form used, in the spirit of flickr & such. Jack Dorsey, Chairman, Former CEO, Founder, Evan Williams, CEO, Biz Stone, Creative Director. Union Square Ventures early and major backer. Other investors include

    Some apps have already been acquired by Twitter or third parties for significant sums. (Tweetdeck by Seesmic, Summize by Twitter)

    Well over 1 Billion tweets – the first tweet at or over a billion was written in late 2008 by a bot. Go figure. Over 5000 tweets/minute during Obama’s inauguration; now over 10,000-25,000/minute, or 250+ tweets/second. Hundreds of millions of requests served per day. Personally billing more in Twitter work alone in 2009 than I did in total independent consulting in 2008.

    Three different APIs. Mention XMPP. Mention Starling – Ruby persistent queue using memcached, developed in-house. Backend now runs on Scala (over 2009). Interface still runs on Ruby on Rails. Will be focusing on REST and Search APIs tonight.

    REST API can do everything a user can do, and more.

    Recognizes trends, with and without # hashtag syntax. Allows viewing of historical trends, searches for keywords, updates to or from specific users. Started out as Summize, acquired by Twitter in mid-2008. Is not 100% uniform when compared to main REST API. Will migrate to api.twitter.com. In order to correlate a result from the Search API with an actual user, you need to do a lookup against the main API – painful cost when it comes to ratelimiting.

    api.twitter.com is new. Twitter is also introducing API versioning. (ABOUT TIME!) New lat and long parameters, more accurate “near” searches. GeoRSS and GeoJSON. Address Book – allegedly “secure and spammer-hostile” method to find Twitter users given an email address.

    Alex Payne, platform lead, second engineer hired (after Blaine Cook, former lead, former VP)RaffiKrikorian, platform engineer, Marcel Molina, translator & platform engineer and former Rails core team member, Ryan Sarver, platform engineer.

    Twitter is “uncomfortable” use of the word “Tweet” (letter to unnamedapp developer.) MyTwitterButlerautofollow app -> MyPostButler. At least one other instance. Murky. Twitter unresponsive. Disappointing.

    Biz’s blog entry latersays use “tweet,” and talks about the trademark filing. Too bad, they lost the April 16, 2009 trademark filing. Sam Johnston’s blog entry. Use “tweet,” use “post,” use “chat,” don’t use “Twitter.”

    Twitter chokes on Expect headers – make sure to quash them! (Expect defines certain behavior expectations by client.) 302 spam countermeasure … #fail!

    Response to all REST calls includes:X-RateLimit-Limit the current limit in effectX-RateLimit-Remaining the number of hits remaining before you are rate limitedX-RateLimit-Reset the time the current rate limiting period ends in epoch time.

    Whitelisting: per account or per IP

    Who here is familiar with HTTP Basic Authorization? What does it look like? **mention source param**

    [Post update to Twitter using HTTP Basic Auth.] Well gee, that doesn’t seem that tough, and it works. So what’s wrong with it?

    Putting password on the wire – encoded, not encrypted! SSL solves the problem, but not everyone is/was using https calls, and SSL can be expensive. Ratelimit: 150 REST GET/hour.

    Not an authentication protocol per se, but is evolving into or being used as such. Mention 1.0 clickjacking issue. Mention PIN?

    Shared secret – OAuth access token. Nonce value. Timestamp. Signature hash digest of all parameters, sorted lexicographically.

    [Register new OAuth web app with Twitter. Walkthrough user approval process.]

    [Retrieve public timeline. Retrieve individual timeline. Retrieve friends timeline.]

    OK, pulling that information is nice, but I think what we’re probably all a little more interested in is the messaging aspect. [Send update. Send DM. Retrieve DMs.]

    [Query search API; term, username, near, tags. Mention TweetHook?]

    Favorites, Groups & Events

    Twitter API & OAuth 101 TVUG October 2009 - Presentation Transcript

    1. Twitter & OAuth 101
      What’s this twit all about?
      Andy Badera (@andrewbadera)
      andrew@badera.us
      http://blog.badera.us/
      TVUG October 2009
    2. Background
    3. The Numbers
      79.7M users as of October 4th (all inclusive; ~50M “official”)
      $153M in funding as of end of September
      28,000+ applications
      30,000+ developers
      $23M+ invested in third party app startups
    4. Growth April 2008-2009
      Via TechCrunch
    5. APIs
      REST API
      Search API
      Streaming API
    6. REST API
      api.twitter.com
      Returns: XML, JSON, RSS, ATOM
      Read timelines
      Send tweets
      Read/send Direct Messages
    7. Search API
      http://search.twitter.com/
      Returns: JSON, ATOM
      Trends
      Terms (“from:andrewbadera”)
      Geolocation (“near:albany within:5miles”)
    8. New Stuff
      Geolocation (improved)
      Group Lists
      Retweet API
      Address Book
      Apple Push
      Search API cleanup
    9. Fab Four
    10. Platform Team?
    11. Trademark Controversy
    12. What’s safe to use?
      Avoid “Twitter”
      Avoid bird graphics
      Avoid similar UI
      Biz sez: “Use ‘tweet.’”
    13. Goals
      Register a new OAuth application
      Retrieve timelines
      Send Tweets
      Send/Receive Direct Messages
      Query Search API
    14. .NET & Twitter
      Expect-100 Continue (HttpWebRequest) Request.ServicePoint.Expect100Continue = false;
      302 Redirects if ( response.StatusCode == HttpStatusCode.Redirect ) { this.Url = new Uri( uri, response.Headers["Location"] ).ToString(); this.CookieContainer.Add( response.Cookies ); }
      64-bit IDs (ulong - Convert.ToUInt64(“”))
      LinqToTwitterhttp://www.codeplex.com/LinqToTwitter
      Tweetsharphttp://code.google.com/p/tweetsharp/
      DotNetOpenAuthhttp://dotnetopenauth.net:8000/
    15. RateLimit
      Ratelimit: 150 REST GETs/hour
      X-RateLimit
      X-RateLimit-Remaining
      X-RateLimit
      Whitelisted: 20000
    16. Whitelisting
      http://twitter.com/help/request_whitelisting
      Turnaround time
    17. In the beginning, HTTP Basic
      HTTP Basic Authorization
      Simple
      Familiar
      Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
    18. Basic Auth Pulls a Fail Whale
    19. Downsides of HTTP Basic Auth
      Base64(byte[] “username:password”)
      Giving credentials away to third parties
      Password change
      Trust
      Rate limit by application IP
    20. O-wot?
      Secure API authorization
      Blaine Cook (Twitter)
      Chris Messina (Ma.gnolia)
      Currently: OAuth 1.0A
      OAuth.net
      Shannon Whitley’s OAuthBase.cs
    21. How OAuth Works
      Shared secret
      Nonce
      Timestamp
    22. OAuth & Twitter
      Moves burden of ratelimit to user account
      Read/write (typical)
      Sign-in with Twitter
      “Guns for cash” – one time auth
    23. Timelines
    24. That’s cool, but …
    25. Real-time Search
      User-Agent!
    26. Common OAuth Gotchas
    27. Technical
      Parameter sorting
      Parameter URL encoding
      Server clock
    28. Social
      OAuth is not a panacea!
      Use common sense!
    29. OAuth Best Practice
      “As with OpenID, OAuth is difficult to implement correctly and securely.  Pick a good, dependable library to take a dependency on instead.”
      --Andrew Arnott
      DotNetOpenAuth Author
      via email
    30. Q&A
      Thanks for your time.
      Any questions?
    31. Drinks!
      JJ Rafferty’s
      Route 9
      North of Latham Traffic Circle on right
      Next to Price Chopper parking lot
      Across from Red Robin
    32. Bibliography
      Alex Payne slideshare presentation: “Twitter API 2.0”, http://www.slideshare.net/al3x/twitter-api-20
      Mashable: “Twitter’s Value: 5 Eye-popping Stats”, http://mashable.com/2009/10/04/twitter-stats/
      Biz Stone blog entry: “May the Tweets Be With You” http://blog.twitter.com/2009/07/may-tweets-be-with-you.html
    33. Resources
      Twitter API docs http://apiwiki.twitter.com/
      Twitter Dev list http://groups.google.com/group/twitter-development-talk
      API blog http://apiblog.twitter.com/ (not well updated)
      @andrewbadera (http://twitter.com/andrewbadera)
      http://blog.badera.us/
      andrew@badera.us

    + Andrew BaderaAndrew Badera, 1 month ago

    custom

    378 views, 0 favs, 2 embeds more stats

    More info about this document

    © All Rights Reserved

    Go to text version

    • Total Views 378
      • 354 on SlideShare
      • 24 from embeds
    • Comments 0
    • Favorites 0
    • Downloads 3
    Most viewed embeds
    • 20 views on http://blog.badera.us
    • 4 views on http://marshalsandler.com

    more

    All embeds
    • 20 views on http://blog.badera.us
    • 4 views on http://marshalsandler.com

    less

    Flagged as inappropriate Flag as inappropriate
    Flag as inappropriate

    Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

    Cancel
    File a copyright complaint
    Having problems? Go to our helpdesk?

    Categories

    Tags

    -->
    Search
    RSS Feed
    What's new?

    © 2009 SlideShare Inc. All Rights Reserved