Andrew Badera, profile picture
Uploaded byAndrew Badera
PPTX, PDF2,360 views

Twitter API & OAuth 101 TVUG October 2009

This document provides an overview of Twitter APIs and OAuth authentication. It discusses Twitter's growth statistics, available APIs for accessing timelines, search, and direct messages. It then covers OAuth and how it provides a more secure way to authorize applications compared to basic authentication. The document concludes with best practices for implementing OAuth and questions from the audience.

Embed presentation

Downloaded 38 times
Twitter & OAuth 101What’s this twit all about?Andy Badera (@andrewbadera)andrew@badera.ushttp://blog.badera.us/TVUG October 2009
Background
The Numbers79.7M users as of October 4th (all inclusive; ~50M “official”)$153M in funding as of end of September28,000+ applications30,000+ developers$23M+ invested in third party app startups
Growth April 2008-2009Via TechCrunch
APIsREST APISearch APIStreaming API
REST APIapi.twitter.comReturns: XML, JSON, RSS, ATOMRead timelinesSend tweetsRead/send Direct Messages
Search APIhttp://search.twitter.com/Returns: JSON, ATOMTrendsTerms (“from:andrewbadera”)Geolocation (“near:albany within:5miles”)
New StuffGeolocation (improved)Group ListsRetweet APIAddress BookApple PushSearch API cleanup
Fab Four
Platform Team?
Trademark Controversy
What’s safe to use?Avoid “Twitter”Avoid bird graphicsAvoid similar UIBiz sez: “Use ‘tweet.’”
GoalsRegister a new OAuth applicationRetrieve timelinesSend TweetsSend/Receive Direct MessagesQuery Search API
.NET & TwitterExpect-100 Continue (HttpWebRequest) Request.ServicePoint.Expect100Continue = false;302 Redirects if ( response.StatusCode == HttpStatusCode.Redirect ) { this.Url = new Uri( uri, response.Headers["Location"] ).ToString(); this.CookieContainer.Add( response.Cookies ); }64-bit IDs (ulong - Convert.ToUInt64(“”))LinqToTwitterhttp://www.codeplex.com/LinqToTwitterTweetsharphttp://code.google.com/p/tweetsharp/DotNetOpenAuthhttp://dotnetopenauth.net:8000/
RateLimitRatelimit: 150 REST GETs/hourX-RateLimitX-RateLimit-RemainingX-RateLimitWhitelisted: 20000
Whitelistinghttp://twitter.com/help/request_whitelistingTurnaround time
In the beginning, HTTP BasicHTTP Basic AuthorizationSimpleFamiliarAuthorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Basic Auth Pulls a Fail Whale
Downsides of HTTP Basic AuthBase64(byte[] “username:password”)Giving credentials away to third partiesPassword changeTrustRate limit by application IP
O-wot?Secure API authorizationBlaine Cook (Twitter)Chris Messina (Ma.gnolia)Currently: OAuth 1.0AOAuth.netShannon Whitley’s OAuthBase.cs
How OAuth WorksShared secretNonceTimestamp
OAuth & TwitterMoves burden of ratelimit to user accountRead/write (typical)Sign-in with Twitter“Guns for cash” – one time auth
Timelines
That’s cool, but …
Real-time SearchUser-Agent!
Common OAuth Gotchas
TechnicalParameter sortingParameter URL encodingServer clock
SocialOAuth is not a panacea!Use common sense!
OAuth Best Practice“As with OpenID, OAuth is difficult to implement correctly and securely.  Pick a good, dependable library to take a dependency on instead.” --Andrew ArnottDotNetOpenAuth Author via email
Q&AThanks for your time.Any questions?
Drinks!JJ Rafferty’sRoute 9North of Latham Traffic Circle on rightNext to Price Chopper parking lotAcross from Red Robin
BibliographyAlex Payne slideshare presentation: “Twitter API 2.0”, http://www.slideshare.net/al3x/twitter-api-20Mashable: “Twitter’s Value: 5 Eye-popping Stats”, http://mashable.com/2009/10/04/twitter-stats/Biz Stone blog entry: “May the Tweets Be With You” http://blog.twitter.com/2009/07/may-tweets-be-with-you.html
ResourcesTwitter API docs http://apiwiki.twitter.com/Twitter Dev list http://groups.google.com/group/twitter-development-talkAPI blog http://apiblog.twitter.com/ (not well updated)@andrewbadera (http://twitter.com/andrewbadera)http://blog.badera.us/andrew@badera.us

More Related Content

KEY
Twitter API 2.0
byAlex Payne
 
PPTX
Advanced phishing for red team assessments
byJEBARAJM
 
PDF
Implementing OAuth with PHP
byLorna Mitchell
 
PDF
Data Driven Security
byApigee | Google Cloud
 
PPTX
Twitter api
bykaleem malick
 
PPTX
Tracking emerging technologies
byDorai Thodla
 
PPTX
Twitter API, Streaming and SharePoint 2013
bySebastian Huppmann
 
PDF
API Security and OAuth for the Enterprise
byCA API Management
 
Twitter API 2.0
byAlex Payne
 
Advanced phishing for red team assessments
byJEBARAJM
 
Implementing OAuth with PHP
byLorna Mitchell
 
Data Driven Security
byApigee | Google Cloud
 
Twitter api
bykaleem malick
 
Tracking emerging technologies
byDorai Thodla
 
Twitter API, Streaming and SharePoint 2013
bySebastian Huppmann
 
API Security and OAuth for the Enterprise
byCA API Management
 

Similar to Twitter API & OAuth 101 TVUG October 2009

PDF
OAuth and OEmbed
byleahculver
 
PPTX
OAuth
byMohan Kumar Tadikimalla
 
PDF
Top X OAuth 2 Hacks
byAntonio Sanso
 
PDF
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
byCloudIDSummit
 
PDF
OAuth and why you should use it
bySergey Podgornyy
 
PPTX
O auth
byfaisalqau
 
PPTX
OAuth
byAslam Jarwar
 
PPT
Building and using web services with OAuth
byBruce Boughton
 
PPTX
Maintest 100713212237-phpapp02-100714080303-phpapp02
byMohan Kumar Tadikimalla
 
PPTX
Maintest 100713212237-phpapp02-100714080303-phpapp02
byMohan Kumar Tadikimalla
 
PDF
OAuth - Open API Authentication
byleahculver
 
PPTX
MainFinalOAuth
byMohan Kumar Tadikimalla
 
KEY
Rails 3 and OAuth for Barcamp Tampa
byBryce Kerley
 
PDF
Introduction to OAuth
byPaul Osman
 
PPT
Web 2.0: The How Of OAuth
bynullstyle
 
PPTX
Devteach 2017 OAuth and Open id connect demystified
byTaswar Bhatti
 
PPT
Oauth
byAakanksha Bhardwaj
 
PPTX
OAuth 2 at Webvisions
byAaron Parecki
 
PDF
open id & o-auth
byPaul Fryer
 
PPTX
Maintest2
byMohan Kumar Tadikimalla
 
OAuth and OEmbed
byleahculver
 
OAuth
byMohan Kumar Tadikimalla
 
Top X OAuth 2 Hacks
byAntonio Sanso
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
byCloudIDSummit
 
OAuth and why you should use it
bySergey Podgornyy
 
O auth
byfaisalqau
 
OAuth
byAslam Jarwar
 
Building and using web services with OAuth
byBruce Boughton
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
byMohan Kumar Tadikimalla
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
byMohan Kumar Tadikimalla
 
OAuth - Open API Authentication
byleahculver
 
MainFinalOAuth
byMohan Kumar Tadikimalla
 
Rails 3 and OAuth for Barcamp Tampa
byBryce Kerley
 
Introduction to OAuth
byPaul Osman
 
Web 2.0: The How Of OAuth
bynullstyle
 
Devteach 2017 OAuth and Open id connect demystified
byTaswar Bhatti
 
Oauth
byAakanksha Bhardwaj
 
OAuth 2 at Webvisions
byAaron Parecki
 
open id & o-auth
byPaul Fryer
 
Maintest2
byMohan Kumar Tadikimalla
 

More from Andrew Badera

PPTX
Azure Machine Learning 101
byAndrew Badera
 
PPTX
SaaSGrid: What's it good for? (2 of 2)
byAndrew Badera
 
PPTX
ASP.NET MVC Web API
byAndrew Badera
 
PPTX
I've Got SaaSGrid: Now What? (1 of 2)
byAndrew Badera
 
PPT
WCF - Tech Valley Code Camp 2008
byAndrew Badera
 
PPTX
WCF in .NET 4.0 - TVUG November 2010
byAndrew Badera
 
PPTX
Windows Azure: Table Store, Service Bus Topics, Push Notifications & Notifica...
byAndrew Badera
 
Azure Machine Learning 101
byAndrew Badera
 
SaaSGrid: What's it good for? (2 of 2)
byAndrew Badera
 
ASP.NET MVC Web API
byAndrew Badera
 
I've Got SaaSGrid: Now What? (1 of 2)
byAndrew Badera
 
WCF - Tech Valley Code Camp 2008
byAndrew Badera
 
WCF in .NET 4.0 - TVUG November 2010
byAndrew Badera
 
Windows Azure: Table Store, Service Bus Topics, Push Notifications & Notifica...
byAndrew Badera
 

Recently uploaded

PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
PDF
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PPTX
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PPTX
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
PDF
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PPTX
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
PPTX
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
PDF
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
PDF
What Is a Private LLM and Why Enterprises Need It
byAivada
 
PDF
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PDF
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
PDF
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
API-First Architecture in Financial Systems
bycyy111112
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
What Is a Private LLM and Why Enterprises Need It
byAivada
 
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 

Twitter API & OAuth 101 TVUG October 2009

Editor's Notes

  • #2 Who’s heard of Twitter? Who has at least one account? Who’s been using it longer than a year? Who uses a third-party app like Tweetdeck?
  • #3 Brainstorming event while Jack was at Odeo in 2006, started as internal service; really broke out at 2007 SXSW. Working name was “Status,” “twitch” was a suggested production name, but it wasn’t quite right for some people. Twitter was the word below it in the dictionary; “twttr” was the original form used, in the spirit of flickr & such. Jack Dorsey, Chairman, Former CEO, Founder, Evan Williams, CEO, Biz Stone, Creative Director. Union Square Ventures early and major backer. Other investors include
  • #4 Some apps have already been acquired by Twitter or third parties for significant sums. (Tweetdeck by Seesmic, Summize by Twitter)
  • #5 Well over 1 Billion tweets – the first tweet at or over a billion was written in late 2008 by a bot. Go figure. Over 5000 tweets/minute during Obama’s inauguration; now over 10,000-25,000/minute, or 250+ tweets/second. Hundreds of millions of requests served per day. Personally billing more in Twitter work alone in 2009 than I did in total independent consulting in 2008.
  • #6 Three different APIs. Mention XMPP. Mention Starling – Ruby persistent queue using memcached, developed in-house. Backend now runs on Scala (over 2009). Interface still runs on Ruby on Rails. Will be focusing on REST and Search APIs tonight.
  • #7 REST API can do everything a user can do, and more.
  • #8 Recognizes trends, with and without # hashtag syntax. Allows viewing of historical trends, searches for keywords, updates to or from specific users. Started out as Summize, acquired by Twitter in mid-2008. Is not 100% uniform when compared to main REST API. Will migrate to api.twitter.com. In order to correlate a result from the Search API with an actual user, you need to do a lookup against the main API – painful cost when it comes to ratelimiting.
  • #9 api.twitter.com is new. Twitter is also introducing API versioning. (ABOUT TIME!) New lat and long parameters, more accurate “near” searches. GeoRSS and GeoJSON. Address Book – allegedly “secure and spammer-hostile” method to find Twitter users given an email address.
  • #10 Alex Payne, platform lead, second engineer hired (after Blaine Cook, former lead, former VP)RaffiKrikorian, platform engineer, Marcel Molina, translator & platform engineer and former Rails core team member, Ryan Sarver, platform engineer.
  • #12 Twitter is “uncomfortable” use of the word “Tweet” (letter to unnamedapp developer.) MyTwitterButlerautofollow app -> MyPostButler. At least one other instance. Murky. Twitter unresponsive. Disappointing.
  • #13 Biz’s blog entry latersays use “tweet,” and talks about the trademark filing. Too bad, they lost the April 16, 2009 trademark filing. Sam Johnston’s blog entry. Use “tweet,” use “post,” use “chat,” don’t use “Twitter.”
  • #15 Twitter chokes on Expect headers – make sure to quash them! (Expect defines certain behavior expectations by client.) 302 spam countermeasure … #fail!
  • #16 Response to all REST calls includes:X-RateLimit-Limit the current limit in effectX-RateLimit-Remaining the number of hits remaining before you are rate limitedX-RateLimit-Reset the time the current rate limiting period ends in epoch time.
  • #17 Whitelisting: per account or per IP
  • #18 Who here is familiar with HTTP Basic Authorization? What does it look like? **mention source param**
  • #19 [Post update to Twitter using HTTP Basic Auth.] Well gee, that doesn’t seem that tough, and it works. So what’s wrong with it?
  • #20 Putting password on the wire – encoded, not encrypted! SSL solves the problem, but not everyone is/was using https calls, and SSL can be expensive. Ratelimit: 150 REST GET/hour.
  • #21 Not an authentication protocol per se, but is evolving into or being used as such. Mention 1.0 clickjacking issue. Mention PIN?
  • #22 Shared secret – OAuth access token. Nonce value. Timestamp. Signature hash digest of all parameters, sorted lexicographically.
  • #23 [Register new OAuth web app with Twitter. Walkthrough user approval process.]
  • #24 [Retrieve public timeline. Retrieve individual timeline. Retrieve friends timeline.]
  • #25 OK, pulling that information is nice, but I think what we’re probably all a little more interested in is the messaging aspect. [Send update. Send DM. Retrieve DMs.]
  • #26 [Query search API; term, username, near, tags. Mention TweetHook?]