Twitter API & OAuth 101 TVUG October 2009

4,427 views

Published on

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,427
On SlideShare
0
From Embeds
0
Number of Embeds
930
Actions
Shares
0
Downloads
38
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide
  • Who’s heard of Twitter? Who has at least one account? Who’s been using it longer than a year? Who uses a third-party app like Tweetdeck?
  • Brainstorming event while Jack was at Odeo in 2006, started as internal service; really broke out at 2007 SXSW. Working name was “Status,” “twitch” was a suggested production name, but it wasn’t quite right for some people. Twitter was the word below it in the dictionary; “twttr” was the original form used, in the spirit of flickr & such. Jack Dorsey, Chairman, Former CEO, Founder, Evan Williams, CEO, Biz Stone, Creative Director. Union Square Ventures early and major backer. Other investors include
  • Some apps have already been acquired by Twitter or third parties for significant sums. (Tweetdeck by Seesmic, Summize by Twitter)
  • Well over 1 Billion tweets – the first tweet at or over a billion was written in late 2008 by a bot. Go figure. Over 5000 tweets/minute during Obama’s inauguration; now over 10,000-25,000/minute, or 250+ tweets/second. Hundreds of millions of requests served per day. Personally billing more in Twitter work alone in 2009 than I did in total independent consulting in 2008.
  • Three different APIs. Mention XMPP. Mention Starling – Ruby persistent queue using memcached, developed in-house. Backend now runs on Scala (over 2009). Interface still runs on Ruby on Rails. Will be focusing on REST and Search APIs tonight.
  • REST API can do everything a user can do, and more.
  • Recognizes trends, with and without # hashtag syntax. Allows viewing of historical trends, searches for keywords, updates to or from specific users. Started out as Summize, acquired by Twitter in mid-2008. Is not 100% uniform when compared to main REST API. Will migrate to api.twitter.com. In order to correlate a result from the Search API with an actual user, you need to do a lookup against the main API – painful cost when it comes to ratelimiting.
  • api.twitter.com is new. Twitter is also introducing API versioning. (ABOUT TIME!) New lat and long parameters, more accurate “near” searches. GeoRSS and GeoJSON. Address Book – allegedly “secure and spammer-hostile” method to find Twitter users given an email address.
  • Alex Payne, platform lead, second engineer hired (after Blaine Cook, former lead, former VP)RaffiKrikorian, platform engineer, Marcel Molina, translator & platform engineer and former Rails core team member, Ryan Sarver, platform engineer.
  • Twitter is “uncomfortable” use of the word “Tweet” (letter to unnamedapp developer.) MyTwitterButlerautofollow app -> MyPostButler. At least one other instance. Murky. Twitter unresponsive. Disappointing.
  • Biz’s blog entry latersays use “tweet,” and talks about the trademark filing. Too bad, they lost the April 16, 2009 trademark filing. Sam Johnston’s blog entry. Use “tweet,” use “post,” use “chat,” don’t use “Twitter.”
  • Twitter chokes on Expect headers – make sure to quash them! (Expect defines certain behavior expectations by client.) 302 spam countermeasure … #fail!
  • Response to all REST calls includes:X-RateLimit-Limit the current limit in effectX-RateLimit-Remaining the number of hits remaining before you are rate limitedX-RateLimit-Reset the time the current rate limiting period ends in epoch time.
  • Whitelisting: per account or per IP
  • Who here is familiar with HTTP Basic Authorization? What does it look like? **mention source param**
  • [Post update to Twitter using HTTP Basic Auth.] Well gee, that doesn’t seem that tough, and it works. So what’s wrong with it?
  • Putting password on the wire – encoded, not encrypted! SSL solves the problem, but not everyone is/was using https calls, and SSL can be expensive. Ratelimit: 150 REST GET/hour.
  • Not an authentication protocol per se, but is evolving into or being used as such. Mention 1.0 clickjacking issue. Mention PIN?
  • Shared secret – OAuth access token. Nonce value. Timestamp. Signature hash digest of all parameters, sorted lexicographically.
  • [Register new OAuth web app with Twitter. Walkthrough user approval process.]
  • [Retrieve public timeline. Retrieve individual timeline. Retrieve friends timeline.]
  • OK, pulling that information is nice, but I think what we’re probably all a little more interested in is the messaging aspect. [Send update. Send DM. Retrieve DMs.]
  • [Query search API; term, username, near, tags. Mention TweetHook?]
  • Twitter API & OAuth 101 TVUG October 2009

    1. 1. Twitter & OAuth 101<br />What’s this twit all about?<br />Andy Badera (@andrewbadera)<br />andrew@badera.us<br />http://blog.badera.us/<br />TVUG October 2009<br />
    2. 2. Background<br />
    3. 3. The Numbers<br />79.7M users as of October 4th (all inclusive; ~50M “official”)<br />$153M in funding as of end of September<br />28,000+ applications<br />30,000+ developers<br />$23M+ invested in third party app startups<br />
    4. 4. Growth April 2008-2009<br />Via TechCrunch<br />
    5. 5. APIs<br />REST API<br />Search API<br />Streaming API<br />
    6. 6. REST API<br />api.twitter.com<br />Returns: XML, JSON, RSS, ATOM<br />Read timelines<br />Send tweets<br />Read/send Direct Messages<br />
    7. 7. Search API<br />http://search.twitter.com/<br />Returns: JSON, ATOM<br />Trends<br />Terms (“from:andrewbadera”)<br />Geolocation (“near:albany within:5miles”)<br />
    8. 8. New Stuff<br />Geolocation (improved)<br />Group Lists<br />Retweet API<br />Address Book<br />Apple Push<br />Search API cleanup<br />
    9. 9. Fab Four<br />
    10. 10. Platform Team?<br />
    11. 11. Trademark Controversy<br />
    12. 12. What’s safe to use?<br />Avoid “Twitter”<br />Avoid bird graphics<br />Avoid similar UI<br />Biz sez: “Use ‘tweet.’”<br />
    13. 13. Goals<br />Register a new OAuth application<br />Retrieve timelines<br />Send Tweets<br />Send/Receive Direct Messages<br />Query Search API<br />
    14. 14. .NET & Twitter<br />Expect-100 Continue (HttpWebRequest) Request.ServicePoint.Expect100Continue = false;<br />302 Redirects if ( response.StatusCode == HttpStatusCode.Redirect ) { this.Url = new Uri( uri, response.Headers[&quot;Location&quot;] ).ToString(); this.CookieContainer.Add( response.Cookies ); }<br />64-bit IDs (ulong - Convert.ToUInt64(“”))<br />LinqToTwitterhttp://www.codeplex.com/LinqToTwitter<br />Tweetsharphttp://code.google.com/p/tweetsharp/<br />DotNetOpenAuthhttp://dotnetopenauth.net:8000/<br />
    15. 15. RateLimit<br />Ratelimit: 150 REST GETs/hour<br />X-RateLimit<br />X-RateLimit-Remaining<br />X-RateLimit<br />Whitelisted: 20000<br />
    16. 16. Whitelisting<br />http://twitter.com/help/request_whitelisting<br />Turnaround time<br />
    17. 17. In the beginning, HTTP Basic<br />HTTP Basic Authorization<br />Simple<br />Familiar<br />Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==<br />
    18. 18. Basic Auth Pulls a Fail Whale<br />
    19. 19. Downsides of HTTP Basic Auth<br />Base64(byte[] “username:password”)<br />Giving credentials away to third parties<br />Password change<br />Trust<br />Rate limit by application IP<br />
    20. 20. O-wot?<br />Secure API authorization<br />Blaine Cook (Twitter)<br />Chris Messina (Ma.gnolia)<br />Currently: OAuth 1.0A<br />OAuth.net<br />Shannon Whitley’s OAuthBase.cs<br />
    21. 21. How OAuth Works<br />Shared secret<br />Nonce<br />Timestamp<br />
    22. 22. OAuth & Twitter<br />Moves burden of ratelimit to user account<br />Read/write (typical)<br />Sign-in with Twitter<br />“Guns for cash” – one time auth<br />
    23. 23. Timelines<br />
    24. 24. That’s cool, but …<br />
    25. 25. Real-time Search<br />User-Agent!<br />
    26. 26. Common OAuth Gotchas<br />
    27. 27. Technical<br />Parameter sorting<br />Parameter URL encoding<br />Server clock<br />
    28. 28. Social<br />OAuth is not a panacea!<br />Use common sense!<br />
    29. 29. OAuth Best Practice<br />“As with OpenID, OAuth is difficult to implement correctly and securely.  Pick a good, dependable library to take a dependency on instead.”<br /> --Andrew Arnott<br />DotNetOpenAuth Author<br /> via email<br />
    30. 30. Q&A<br />Thanks for your time.<br />Any questions?<br />
    31. 31. Drinks!<br />JJ Rafferty’s<br />Route 9<br />North of Latham Traffic Circle on right<br />Next to Price Chopper parking lot<br />Across from Red Robin<br />
    32. 32. Bibliography<br />Alex Payne slideshare presentation: “Twitter API 2.0”, http://www.slideshare.net/al3x/twitter-api-20<br />Mashable: “Twitter’s Value: 5 Eye-popping Stats”, http://mashable.com/2009/10/04/twitter-stats/<br />Biz Stone blog entry: “May the Tweets Be With You” http://blog.twitter.com/2009/07/may-tweets-be-with-you.html<br />
    33. 33. Resources<br />Twitter API docs http://apiwiki.twitter.com/<br />Twitter Dev list http://groups.google.com/group/twitter-development-talk<br />API blog http://apiblog.twitter.com/ (not well updated)<br />@andrewbadera (http://twitter.com/andrewbadera)<br />http://blog.badera.us/<br />andrew@badera.us<br />

    ×