Email
Favorite
Favorited ×
Download
Embed
Private Content
Copy and paste this code into your blog or website Copy Customize Close
We have emailed the verification/download link to "".
Login to your email and click the link to download the file directly.

To request the link at a different email address, update it here. Close
Validation messages. Success message. Fail message.

Check your bulk/spam folders if you can't find our mail.

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

+ Follow

Twitter API & OAuth 101 TVUG October 2009

by Andrew Badera on Oct 13, 2009

3,788 views

More…

Less

5 Embeds 864

http://www.uxmagic.com	805
http://blog.badera.us	27
http://www.slideshare.net	27
http://marshalsandler.com	4
http://webcache.googleusercontent.com	1

Statistics

Favorites: 5
Downloads: 35
Comments: 1
Embed Views: 864
Views on SlideShare: 2,924
Total Views: 3,788

1–1 of 1 previous next

Ujjwal SS , Engineer at SlideShare Inc nice test 6 months ago Reply
Are you sure you want to Yes No

Who’s heard of Twitter? Who has at least one account? Who’s been using it longer than a year? Who uses a third-party app like Tweetdeck?
Brainstorming event while Jack was at Odeo in 2006, started as internal service; really broke out at 2007 SXSW. Working name was “Status,” “twitch” was a suggested production name, but it wasn’t quite right for some people. Twitter was the word below it in the dictionary; “twttr” was the original form used, in the spirit of flickr & such. Jack Dorsey, Chairman, Former CEO, Founder, Evan Williams, CEO, Biz Stone, Creative Director. Union Square Ventures early and major backer. Other investors include
Some apps have already been acquired by Twitter or third parties for significant sums. (Tweetdeck by Seesmic, Summize by Twitter)
Well over 1 Billion tweets – the first tweet at or over a billion was written in late 2008 by a bot. Go figure. Over 5000 tweets/minute during Obama’s inauguration; now over 10,000-25,000/minute, or 250+ tweets/second. Hundreds of millions of requests served per day. Personally billing more in Twitter work alone in 2009 than I did in total independent consulting in 2008.
Three different APIs. Mention XMPP. Mention Starling – Ruby persistent queue using memcached, developed in-house. Backend now runs on Scala (over 2009). Interface still runs on Ruby on Rails. Will be focusing on REST and Search APIs tonight.
REST API can do everything a user can do, and more.
Recognizes trends, with and without # hashtag syntax. Allows viewing of historical trends, searches for keywords, updates to or from specific users. Started out as Summize, acquired by Twitter in mid-2008. Is not 100% uniform when compared to main REST API. Will migrate to api.twitter.com. In order to correlate a result from the Search API with an actual user, you need to do a lookup against the main API – painful cost when it comes to ratelimiting.
api.twitter.com is new. Twitter is also introducing API versioning. (ABOUT TIME!) New lat and long parameters, more accurate “near” searches. GeoRSS and GeoJSON. Address Book – allegedly “secure and spammer-hostile” method to find Twitter users given an email address.
Alex Payne, platform lead, second engineer hired (after Blaine Cook, former lead, former VP)RaffiKrikorian, platform engineer, Marcel Molina, translator & platform engineer and former Rails core team member, Ryan Sarver, platform engineer.
Twitter is “uncomfortable” use of the word “Tweet” (letter to unnamedapp developer.) MyTwitterButlerautofollow app -> MyPostButler. At least one other instance. Murky. Twitter unresponsive. Disappointing.
Biz’s blog entry latersays use “tweet,” and talks about the trademark filing. Too bad, they lost the April 16, 2009 trademark filing. Sam Johnston’s blog entry. Use “tweet,” use “post,” use “chat,” don’t use “Twitter.”
Twitter chokes on Expect headers – make sure to quash them! (Expect defines certain behavior expectations by client.) 302 spam countermeasure … #fail!
Response to all REST calls includes:X-RateLimit-Limit the current limit in effectX-RateLimit-Remaining the number of hits remaining before you are rate limitedX-RateLimit-Reset the time the current rate limiting period ends in epoch time.
Whitelisting: per account or per IP
Who here is familiar with HTTP Basic Authorization? What does it look like? **mention source param**
[Post update to Twitter using HTTP Basic Auth.] Well gee, that doesn’t seem that tough, and it works. So what’s wrong with it?
Putting password on the wire – encoded, not encrypted! SSL solves the problem, but not everyone is/was using https calls, and SSL can be expensive. Ratelimit: 150 REST GET/hour.
Not an authentication protocol per se, but is evolving into or being used as such. Mention 1.0 clickjacking issue. Mention PIN?
Shared secret – OAuth access token. Nonce value. Timestamp. Signature hash digest of all parameters, sorted lexicographically.
[Register new OAuth web app with Twitter. Walkthrough user approval process.]
[Retrieve public timeline. Retrieve individual timeline. Retrieve friends timeline.]
OK, pulling that information is nice, but I think what we’re probably all a little more interested in is the messaging aspect. [Send update. Send DM. Retrieve DMs.]
[Query search API; term, username, near, tags. Mention TweetHook?]

5 Favorites

gespersonal Tags twitter 2 months ago
Ujjwal SS , Engineer at SlideShare Inc 6 months ago
Jonathan Boutelle , entrepreneur CTO at SlideShare Tags oauth 2 years ago
chomas kandar Tags twitter 2 years ago
Goople Tags twitter 2 years ago

Twitter API & OAuth 101 TVUG October 2009 — Presentation Transcript

Twitter & OAuth 101
What’s this twit all about?
Andy Badera (@andrewbadera)
andrew@badera.us
http://blog.badera.us/
TVUG October 2009
Background
The Numbers
79.7M users as of October 4th (all inclusive; ~50M “official”)
$153M in funding as of end of September
28,000+ applications
30,000+ developers
$23M+ invested in third party app startups
Growth April 2008-2009
Via TechCrunch
APIs
REST API
Search API
Streaming API
REST API
api.twitter.com
Returns: XML, JSON, RSS, ATOM
Read timelines
Send tweets
Read/send Direct Messages
Search API
http://search.twitter.com/
Returns: JSON, ATOM
Trends
Terms (“from:andrewbadera”)
Geolocation (“near:albany within:5miles”)
New Stuff
Geolocation (improved)
Group Lists
Retweet API
Address Book
Apple Push
Search API cleanup
Fab Four
Platform Team?
Trademark Controversy
What’s safe to use?
Avoid “Twitter”
Avoid bird graphics
Avoid similar UI
Biz sez: “Use ‘tweet.’”
Goals
Register a new OAuth application
Retrieve timelines
Send Tweets
Send/Receive Direct Messages
Query Search API
.NET & Twitter
Expect-100 Continue (HttpWebRequest) Request.ServicePoint.Expect100Continue = false;
302 Redirects if ( response.StatusCode == HttpStatusCode.Redirect ) { this.Url = new Uri( uri, response.Headers["Location"] ).ToString(); this.CookieContainer.Add( response.Cookies ); }
64-bit IDs (ulong - Convert.ToUInt64(“”))
LinqToTwitterhttp://www.codeplex.com/LinqToTwitter
Tweetsharphttp://code.google.com/p/tweetsharp/
DotNetOpenAuthhttp://dotnetopenauth.net:8000/
RateLimit
Ratelimit: 150 REST GETs/hour
X-RateLimit
X-RateLimit-Remaining
X-RateLimit
Whitelisted: 20000
Whitelisting
http://twitter.com/help/request_whitelisting
Turnaround time
In the beginning, HTTP Basic
HTTP Basic Authorization
Simple
Familiar
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Basic Auth Pulls a Fail Whale
Downsides of HTTP Basic Auth
Base64(byte[] “username:password”)
Giving credentials away to third parties
Password change
Trust
Rate limit by application IP
O-wot?
Secure API authorization
Blaine Cook (Twitter)
Chris Messina (Ma.gnolia)
Currently: OAuth 1.0A
OAuth.net
Shannon Whitley’s OAuthBase.cs
How OAuth Works
Shared secret
Nonce
Timestamp
OAuth & Twitter
Moves burden of ratelimit to user account
Read/write (typical)
Sign-in with Twitter
“Guns for cash” – one time auth
Timelines
That’s cool, but …
Real-time Search
User-Agent!
Common OAuth Gotchas
Technical
Parameter sorting
Parameter URL encoding
Server clock
Social
OAuth is not a panacea!
Use common sense!
OAuth Best Practice
“As with OpenID, OAuth is difficult to implement correctly and securely. Pick a good, dependable library to take a dependency on instead.”
--Andrew Arnott
DotNetOpenAuth Author
via email
Q&A
Thanks for your time.
Any questions?
Drinks!
JJ Rafferty’s
Route 9
North of Latham Traffic Circle on right
Next to Price Chopper parking lot
Across from Red Robin
Bibliography
Alex Payne slideshare presentation: “Twitter API 2.0”, http://www.slideshare.net/al3x/twitter-api-20
Mashable: “Twitter’s Value: 5 Eye-popping Stats”, http://mashable.com/2009/10/04/twitter-stats/
Biz Stone blog entry: “May the Tweets Be With You” http://blog.twitter.com/2009/07/may-tweets-be-with-you.html
Resources
Twitter API docs http://apiwiki.twitter.com/
Twitter Dev list http://groups.google.com/group/twitter-development-talk
API blog http://apiblog.twitter.com/ (not well updated)
@andrewbadera (http://twitter.com/andrewbadera)
http://blog.badera.us/
andrew@badera.us

Twitter API & OAuth 101 TVUG October 2009

by Andrew Badera on Oct 13, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

5 Embeds 864

Statistics

Twitter API & OAuth 101 TVUG October 2009 — Presentation Transcript