2. Let’s do xAuth.
Username:
tpFriendlyGiant
Password:
%&123!aZ+()456
3. And the same application.
Consumer Key:
sGNxxnqgZRHUt6NunK3uw
Consumer Secret:
5kEQypKe7lFHnufLtsocB1vAzO07xLFgp2Pc4sp2vk
4. Each value first needs to be escaped in your
POST body
Password “%&123!aZ+()456” becomes:
%25%26123%21aZ%2b%28%29456
Login remains:
tpFriendlyGiant
(new lines added for readability)
5. Your POST body should look like..
x_auth_password=%25%26123%21aZ%2b
%28%29456
&x_auth_mode=client_auth
&x_auth_username=tpFriendlyGiant
(new lines added for readability)
6. Crossing now over to the OAuth side
For this request, we’ll use the following request-specific variables:
oauth_timestamp:
1276101652
oauth_nonce:
WLxsobj4rhS2xmCbaAeT4aAkRfx4vSHX4OnYpTE77hA
Request URL:
https://api.twitter.com/oauth/access_token
7. Building our signature base string...
POST&https%3A%2F%2Fapi.twitter.com%2Foauth
%2Faccess_token&oauth_consumer_key%3DsGNxxnqgZRHUt6NunK3uw
%26oauth_nonce%3DWLxsobj4rhS2xmCbaAeT4aAkRfx4vSHX4OnYpTE77hA
%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp
%3D1276101652%26oauth_version%3D1.0%26x_auth_mode
%3Dclient_auth%26x_auth_password%3D%2525%2526123%2521aZ%252B
%2528%2529456%26x_auth_username%3DtpFriendlyGiant
8. Most important to see that this..
x_auth_password=%25%26123%21aZ%2b%28%29456
&x_auth_mode=client_auth
&x_auth_username=tpFriendlyGiant
Becomes that...
%26x_auth_mode%3Dclient_auth%26x_auth_password%3D
%2525%2526123%2521aZ%252B%2528%2529456%26x_auth_username
%3DtpFriendlyGiant
9. Build our HTTP Authentication header
Our signing secret is
“5kEQypKe7lFHnufLtsocB1vAzO07xLFgp2Pc4sp2vk&”
OAuth oauth_nonce="WLxsobj4rhS2xmCbaAeT4aAkRfx4vSHX4OnYpTE77hA",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1276101652",
oauth_consumer_key="sGNxxnqgZRHUt6NunK3uw",
oauth_signature="yUDBrcMMm6ghqBEKCFKVoJPIacU%3D",
oauth_version="1.0"
Note how it only contains OAuth parameters, not
x_auth parameters.
11. Send the request
& take the access token from the response
oauth_token=153814517-
LktOAPmBRsNWfJHY2DUE9PfFaEX2EYgCkIsAemA
P&oauth_token_secret=WDNVjV9nKuqJftNE7O
5KozKxUvECSE234N6HX0gwgM&user_id=153814
517&screen_name=tpFriendlyGiant&x_auth_
expires=0
12. OAuth & xAuth are better with a friend.
http://github.com/amazingsyco/mgtwitterengine
http://github.com/aral/XAuthTwitterEngine
Need xAuth access?
Send a detailed message to api@twitter.com
14. OAuth Echo
‣ After “Basic Auth shutoff”, how do you use third party services?
‣ you may not have the user’s username / password
‣ the third party service couldn’t do anything with it anyway on the API
‣ OAuth Echo = delegation in identity verification
‣ Pass around information needed for an OAuth call to account/
verify_credentials
‣ usernames and passwords are secure
‣ can only be used once
‣ must be used within a particular time window (i.e. it is self expiring)
15.
16.
17. OAuth Echo
‣ It’s really simple - to upload to TwitPic
‣ construct upload request to TwitPic (with the image)
‣ include X-Verify-Credentials-Authorization
header - the OAuth Authorization header that TwitPic should
send back to Twitter’s API
‣ include X-Auth-Service-Provider header and set it to
the target Twitter API auth endpoint
18. OAuth Echo
‣ X-Verify-Credentials-Authorization
‣ include X-Auth-Service-Provider header and set it to
https://api.twitter.com/1/account/
verify_credentials.json