This document discusses Twitter's implementation of OAuth authentication. It describes how basic authentication worked previously with username and password, and how OAuth provides an improved authorization method using consumer keys, access tokens, and secrets. Various iterations and implementations of OAuth are presented for authenticating photo uploads, posts, and delegating identity verification between applications and Twitter's API. An upcoming solution is proposed for open source applications to utilize OAuth without hardcoding secret keys.

1. Twitter OAuth
@nov
2010 6 25

2. OAuth Echo
2010 6 25

3. echofon
2010 6 25

4. Basic Auth
id & passwd
photo, message
id & passwd
echofon photo, message
2010 6 25

5. OAuth
consumer key & secret
access token & secret
photo, message
oauth header
echofon photo, message
2010 6 25

6. with OAuth
http://j.mp/with_oauth
Simple, but share consumer secret
2010 6 25

7. 2010.02.10
OAuth Echo - delegation in identity verification
http://j.mp/raffi_echo
2010 6 25

8. OAuth Echo
oauth header
photo, message
oauth header
echofon
2010 6 25

9. http://j.mp/with_oauth_echo
2010 6 25

10. 2010.05.24
Delegated identity verification for uploadAndPost
(OAuth Echo for uploadAndPost)
http://j.mp/raffi_echo2
2010 6 25

11. POST /upload
with OAuth header for GET /account/verify_credentials
GET /account/verify_credentials
with given OAuth header
2010 6 25

12. POST /uploadAndPost
with OAuth header for POST /statuses/update
POST /satuses/update
with given OAuth header
2010 6 25

13. POST /uploadAndPost
with OAuth header for POST /statuses/update
401 Unauthorized
POST /satuses/update
with given OAuth header
2010 6 25

14. However, the Consumer has a problem because
it is charged with generating the signature, but it
doesn't know the final caption for the signature
because it doesn't know the URL. This means
Twitter is going to need to do some work.
http://j.mp/raffi_echo2
2010 6 25

15. POST /uploadAndPost
with OAuth header for POST /statuses/update
+ X-OAuth-Payload
POST /satuses/update
with given OAuth header + X-OAuth-Append-Payload
2010 6 25

16. photo = worldcup.png
message = “GO GO #JPN”
X-OAuth-Payload = message
photo = http://twitpic.com/gogo_jpn
message = “GO GO #JPN”
X-OAuth-Append-Payload = photo
2010 6 25

17. photo = worldcup.png
message = “GO GO #JPN”
X-OAuth-Payload = message
photo = http://twitpic.com/gogo_jpn
message = “GO GO #JPN”
X-OAuth-Append-Payload = photo
2010 6 25

18. This is not yet implemented on the Twitter
side, but it will hopefully be soon. I'm definitely
soliciting feedback. http://j.mp/raffi_echo2
2010 6 25

19. follow @raffi
2010 6 25

20. OAuth for Open Source
2010 6 25

21. Coming soon: a solution for Open Source
applications using OAuth with the Twitter API
http://j.mp/twitter_dev_talk
2010 6 25

22. Open Source using Twitter API ... ?
2010 6 25

23. termtter
http://j.mp/termtter
2010 6 25

24. Open Source = Open consumer secret
2010 6 25

25. Coming soon: a solution for Open Source
applications using OAuth with the Twitter API
http://j.mp/twitter_dev_talk
2010 6 25

26. 1. You store your API Consumer Key in your application distribution
(but never your secret!).
2. A user downloads/installs/checks out your open source
application and runs it for the first time
3. Your application builds a URL to our key exchange endpoint, using
your consumer key.
4. You send the user to that URL in whatever way makes sense in
your environment.
5. That user will approve your application's request to replicate itself
on the user's behalf.
6. The user is presented with a string that they are asked to paste
into your application. The string will contain an API key and secret,
in addition to an access token and token secret for the member:
everything that's needed to get the user up and running in your
application.
7. The user pastes the string into your application, which then
consumes and stores it to begin performing API calls using OAuth.
2010 6 25

27. 1. You store your API Consumer Key in your application distribution
(but never your secret!).
2. A user downloads/installs/checks out your open source
application and runs it for the first time
3. Your application builds a URL to our key exchange endpoint, using
your consumer key.
4. You send the user to that URL in whatever way makes sense in
ck=KIyzzZUM7KvKYOpnst2aOw&
your environment.
cs=4PQk1eH4MadmzzEZ1G1KdrWHIFC1IPxv1kXZg0G3E&
at=54221utEhFTv5GZZcc2R4w6thnApKtf1N1eKRedcFJthdeA&
5. That user will approve your application's request to replicate itself
ats=FFdeOzzzzEwxOBWPPREd55 dKx7AAaI8NfpK7xnibv4Yls
on the user's behalf.
6. The user is presented with a string that they are asked to paste
into your application. The string will contain an API key and secret,
in addition to an access token and token secret for the member:
everything that's needed to get the user up and running in your
application.
7. The user pastes the string into your application, which then
consumes and stores it to begin performing API calls using OAuth.
2010 6 25

28. via Termtter (nov)
2010 6 25

29. We're only allowing open source applications
for now. We may consider other use cases in
the future.
I'll post a new message when things are good
to go and we're ready to accept applications
into the feature. http://j.mp/twitter_dev_talk
2010 6 25

30. after #worldcup
2010 6 25