Great, our Foller.me Rundown account (@fmrd) now tweets via OAuth and has our application name and link attached to every tweet. It was indeed pretty simple. After reading the specs of the OAuth protocol I came up with a fairly simple solution. I’m using this open source Twitter OAuth php library by Abraham Williams which is quite good, and I do recommend you try some basic OAuth stuff (with sessions, based on Abraham’s example) before proceeding to automated tweeting.
Okay, let me first breifly explain how OAuth at Twitter is supposed to work (focusing on automated work). Step by step:
- You browse to some hidden area (which nobody but you has access to) and initiate the app registration process. At this point, your app should go ask Twitter for a request token and provide you with a link to Twitter authentication (which will contain the received token)
- Next, you click on that link which directs you to Twitter, login, click allow and you’ll be redirected back to your application page (not the hidden area!) with the request token attached to the URL.
- You copy that token, browse back to your hidden area and initiate the app validation process by providing the token in your request (GET)
- Your app will go talk to Twitter again asking them for an access token. It stores that token (in a very safe place) for later use.
That’s pretty much everything. Once you have your access token you can update your status via OAuth as much as you want. Also note that when I mention request token and access token, I mean request token secret and access token secret too. OAuth tokens come in pairs. Token + secret. Yes, it is that simple!
Now let’s get to some coding! Suppse your app is called MyApp and is located at myapp.com. Make sure your hidden area is actually hidden. Choose a nifty directory for your place and make sure you protected it with .htaccess (allow by IP or based on authentication, it’s up to you). Don’t worry, Twitter will not try to access that directory. Twitter (the OAuth Service Provider) doesn’t do anything but give responses to your requests, so block that as strong as possible.
Suppse your hidden server auth place is at myapp.com/hidden/ and there’s an index.php file, your requests would look like this:
That would mean “initiate the OAuth registration process!”, which will give you the URL to Twitter. And:
Which will get your Twitter OAuth access token and store it somewhere safe. Remember that you’ll have to replace the word “whatever” with the request token provided by Twitter after you authorize.
Let’s look at the php code (omitting the includes and blah blah blah). Just read through the comments, you should be able to understand. Also make sure you got your $consumer_key and $consumer_secret setup in the Twitter OAuth applications settings.
// If the "register" parameter is set we create a new TwitterOAuth object
// and request a token
$oauth = new TwitterOAuth($consumer_key, $consumer_secret);
$request = $oauth->getRequestToken();
$request_token = $request["oauth_token"];
$request_token_secret = $request["oauth_token_secret"];
// At this stage you should store the two request tokens somewhere.
// Database or file, whatever. Just make sure it's safe and nobody can read it!
// I'll dump mine into files using file_put_content:
// Generate a request link and output it
$request_link = $oauth->getAuthorizeURL($request);
echo "Request here: <a href="" . $request_link . "">" . $request_link . "</a>";
// This is the validation part. At this point you should read the stored request
// tokens. You'll need them to get your access tokens!
// Mine are located in two files:
$request_token = file_get_contents("request_token");
$request_token_secret = file_get_contents("request_token_secret");
// Initiate a new TwitterOAuth object. This time we provide them with more details:
// The request token and the request token secret
$oauth = new TwitterOAuth($consumer_key, $consumer_secret,
// Ask Twitter for an access token (and an access token secret)
$request = $oauth->getAccessToken();
// There we go
$access_token = $request['oauth_token'];
$access_token_secret = $request['oauth_token_secret'];
// Now store the two tokens into another file (or database or whatever):
// Great! Now we've got the access tokens stored.
// Let's verify credentials and output the username.
// Note that this time we're passing TwitterOAuth the access tokens.
$oauth = new TwitterOAuth($consumer_key, $consumer_secret,
// Send an API request to verify credentials
$credentials = $oauth->oAuthRequest(
// Parse the result (assuming you've got simplexml installed)
$credentials = simplexml_load_string($credentials);
// And finaly output some text
echo "Access token saved! Authorized as @" . $credentials->screen_name;
That’s all. It wasn’t difficult, was it? Now that you’ve got your access tokens stored, you can call Twitter API using OAuth at any time! Here’s a brief example:
// Read the access tokens
$access_token = file_get_contents("path/to/access_token");
$access_token_secret = file_get_contents("path/to/access_token_secret");
// Initiate a TwitterOAuth using those access tokens
$oauth = new TwitterOAuth($consumer_key, $consumer_key_secret,
// Post an update to Twitter via your application:
array('status' => "Hey! I'm posting via #OAuth!"), 'POST');
Then setup a cron job to access that page URL and you’ll be automatically tweeting! That’s about it.
Now, in conclusion, a few security suggestions. Never, NEVER place your tokens into a publicly visible folder. Deny all HTTP access to them via .htaccess (look at the Files directive) and yes, I’m going to let you finish, but please, PLEASE secure that hidden place we talked about earlier. Yes I’m repeating this and I’ll keep repeating it over and over. If hackers gain access to your hidden place, they’ll be able to swap your account with another one (or just break it). If they get to your access tokens, then they might spam through your account. That’s not very nice, is it? So please, IP based security, password protected, whatever. I close the whole directory down with a “deny from all” rule in .htaccess once I got my access tokens, so if for any reason I’d have to update or change them, I’d have to do more than just browse there.
That’s all. Have a good time with Twitter OAuth and I hope everything goes well. Feel free to post questions or any kind of feedback in the comments section.