Twitter API: Moving From Basic Auth to OAuth

As I mentioned earlier this week, with Foller.me beta 3, people now have the ability to follow tweeps directly from the website with a single click, without having to browse to their Twitter profile nor providing us with their Twitter credentials (thanks to OAuth. Read this post if you haven’t: The Importance of Using Twitter API via OAuth).

Now, why not take even more advantage of Twitter OAuth? As mentioned in the documentation and a few tweets by @netik (John Adams, Ops Engineer @ Twitter), due to the high growth of Twitter apps being developed every day, the source parameter in the statuses/update calls will no longer give you the desired result (attaching “via Your App Name” with a link to your website to the tweet). Calls with no source parameter come out as “via API”. Ones with unknown source parameters come out as “from web”. This doesn’t apply to already developped apps such as TweetDeck and Seesmic Desktop and they still use the source parameter via Basic Auth.

So how do I get my Twitter app name listed in the tweets?

And the answer is OAuth. Once you subscribe your app to the Applications Using Twitter page, those guys know about you. They know the name of your application and they know where to link if you post “via” your application. The key here is posting “via” your application. Well, the little “Tweet my profile” link at the bottom of a Foller.me profile (if you’re signed in) is fairly simple. We’ve got an authenticated (via OAuth) user and an OAuth request method:

$oauth->OAuthRequest('https://twitter.com/statuses/update.xml',
    array('status' => 'Test OAuth update. #testoauth'), 'POST');

That will post from the authenticated user via your application. Sweet isn’t it? But, you probably know our Foller.me Rundown feature, which tweets through the @fmrd account. It’s totally automated and uses Basic Auth to post. As I said above, Basic Auth will not give us the “from device” bit in your tweets, so we have to use OAuth. And this is actually what I am after.

There are a few request tokens and token secrets that travel between both servers (Twitter and the client) during OAuth authentication. In general OAuth usage, we store them into our user’s sessions on server. Now what if we store them into our database (or some other place) and when tweeting via @fmrd use THEM instead of starting a new Basic Auth session? This means that I somehow need to send myself (on a closed by .htaccess page or whatever) to the Twitter authentication page with a generated OAuth token, then, whenever Twitter redirects me back to my page, I need to copy the received “request token” and secret and write it down somewhere. I’ll have to dig deeper into OAuth for this, rather than just use a ready-to-go library that works with sessions. I’ll try this method out and write about it next week. It’d be cool if @fmrd could tweet “via Foller.me”.

About the author

Konstantin Kovshenin

WordPress Core Contributor, ex-Automattician, public speaker and consultant, enjoying life in Moscow. I blog about tech, WordPress and DevOps.

7 comments

  • Hello Konstantin,

    Few question to ask…. Regarding to posting “via” your application. I have created my twitter app then uses class snoopy to post into some twitter status.

    Then regarding to this one.

    <pre>$snoopy->submit(
    'http://twitter.com/statuses/update.json&#039;,
    array(
    'status' => $therurl,
    'source' =>'myapp'
    )
    );
    </pre>

    Is it required that myapp is your application name? or what?
    Hoping for the kind help.

    thanks

    • Thanks Konstantin, I did try Twitter OAuth php library by Abraham Williams using Basic auth. But still ‘via myapp’ is not yet recognized by twitter, It is still 'via web'. If xAuth is enabled does twitter then recognize "myapp"?

    • Hello Konstantin,

      I'm good now. I contacted twitter support way back and yeah they answered all my concerns. Thanks for he help man. :)

  • Hi Konstantin, very nice blog!

    I also think that Oauth is great, and I feel more comfortable with sites that uses it.
    But, the basic auth was working for me because I could put twitter statuses without visiting twitter main site.
    Inside a lot of offices twitter main page are blocked, so, when basic auth will be unavailable, me and a lot of people will have no more twitter.

    Do you know any way to auth without twitter main page, when basic auth will be unavailable?

    • Basic Auth will be shut down very soon, in August I believe. If you'd like to cheat on your boss and use Twitter at work, well, get a proxy or something, nah?