Skip to main content

Hacking Twitter @Anywhere's authentication

OAuth logo
Twitter @Anywhere uses the @OAuth 2 draft (or at least some of it) for authentication and access so I started poking around to see what it supports.

First lets get an oauth_access_token. For OAuth 2 the oauth_access_tokens are short lived and will usually only be valid for a couple of hours. Visit http://abrah.am (or any other @Anywhere enabled site) click on the "Follow @abraham on Twitter" button. This will create a popup where you will log into twitter.com and connect with the @Anywhere application.

Twitter Anywhere authentication popup
@Anywhere authentication window

The @Anywhere application is now authorized to act on behalf of your Twitter application and there is an oauth_access_token in your browsers localStorage as twttr_anywhere. You can use the following JavaScript command to retrieve your oauth_access_token. It works in Google Chrome's built in console, Firebug's console in Firefox and I'm sure other browsers as well.


*Note that the oauth_access_token can be used by itself to act as your Twitter credentials so don't go slinging it around the internet.

Now you have the oauth_access_token what to do with it? Make HTTP request to api.twitter.com over SSL.


What about POSTs? Yep those work too.


Now lets have a look at a method of getting the oauth_access_token that is similar the standard OAuth flow. Redirect a user to https://oauth.twitter.com/2/authorize with three paramaters:

  • oauth_callback_url=http://abrah.am/ - The domain and subdomain must be registered with the Twitter
  • oauth_mode=flow_web_client - Twitter should observe a browser redirect flow
  • oauth_client_identifier=9QR94sYuXI3j6XkYrr1Ybw - The application's @Anywhere API key


Once the user connects their account with they application they are returned to the oauth_callback_url with an oauth_access_token in the url fragment.


The fragment also contains an oauth_bridge_code which can be used to exchange the temporary 2.0 oauth_access_token for a long lasting 1.0 oauth_token. Subscribe to the RSS feed to get notified when that post is published.

Update: Checkout the post on using Twitter Anywhere bridge codes.

Keep in mind that:
  • OAuth 2 access tokens are short lived
  • OAuth 2 access tokens are all that is needed to read and write your accounts Twitter data
  • Anywhere was launched several months ago and the OAuth 2 spec has evolved a lot since then
  • This is an internal authentication method and likely to change in the future

Let me know what you think of OAuth 2 in the comments.

Comments

  1. I don't get it? So you're saying if you authorize an app to work on behalf of your twitter account it can do stuff on behalf of your twitter account? Or am I missing something?

    ReplyDelete
  2. @JacoPretorius: don't understand what you are asking but yes generally when you authorize an application that application can do stuff on behalf of your Twitter account.

    ReplyDelete
  3. This is a very helpful write-up. Thanks.

    Right now, I'm trying to figure out how to retrieve the URL fragment (stuff after the #) in PHP. Seems the query query string doesn't provide access to anything after a pound sign.

    ReplyDelete
  4. @dharmesh: The majority of servers don't provide access to the fragment so you will have to use JavaScript to save it to a cookie or send it back to server.

    ReplyDelete
  5. @abraham: Regarding the location hash -- I believe this is not a server issue (that they don't provide the info) but rather that Browsers don't sent the location hash (#) part of the URL to servers because historically the #info was used for on-page anchors. Now with in-Browser Web apps using in-situ Javascript smarts and doing routing with the location hash (cf. Sammy), it would be nice for Browsers to send the location hash content to the server, though I doubt that will ever happen.

    ReplyDelete
  6. @Zhami: Ah yes. I incorrectly assumed it was a server issue. http://en.wikipedia.org/wiki/Fragment_identifier#Processing

    ReplyDelete
  7. Okay, so I get that you can call the OAuth 1.0 access_token method with the bridge code to get a permanent and long lasting token, but how can I obtain the bridge code via the normal @anywhere authentication mechanism? I see it appear in the popup just after authentication, but the window disappears and I don't know how or where to get it from after that.

    ReplyDelete
  8. Hah. Never mind. Found it here: http://www.slideshare.net/themattharris/twitterapi-at-socialapp-workshop-4829646

    (Go to slide 51).

    ReplyDelete
  9. @Otto: I have a blog post coming that covers all of that in detail.

    ReplyDelete
  10. Hi
    I have an application that when we try to post a tweet, it uses OAuth to allow the user to "Auth" the connection. It's then stored in the twitter profile for that user as a connection (great).

    However, every time they post a new tweet, it continues to ask them to Auth.

    I was under the impression that once the user had "Auth'd" once, they shouldn't be asked every time.

    What are we doing wrong?

    Your help is much appreciated.

    ReplyDelete
  11. Mike: it depends on how you are authenticating. @anywhere for example requires users to connect every couple of hours. That is how Twitter has it set up and it can not be changed. Sign in with Twitter depends on the websites session handling in which case cookies might not be getting set properly or might be to short livid.

    ReplyDelete
  12. have tried it. but isnot working. it doesnt work now, right?

    ReplyDelete
  13. Twitter changed how @anywhere authenticates so this doesn't work anymore. They might have just changed it but I have not had time to see what they changed it.

    ReplyDelete
  14. Twitter changed how @anywhere authenticates so this doesn't work anymore. They might have just changed it but I have not had time to see what they changed it.

    ReplyDelete
  15. Mike: it depends on how you are authenticating. @anywhere for example requires users to connect every couple of hours. That is how Twitter has it set up and it can not be changed. Sign in with Twitter depends on the websites session handling in which case cookies might not be getting set properly or might be to short livid.

    ReplyDelete
  16. Hah. Never mind. Found it here: http://www.slideshare.net/themattharris/twitterapi-at-socialapp-workshop-4829646

    (Go to slide 51).

    ReplyDelete
  17. This is a very helpful write-up. Thanks.

    Right now, I'm trying to figure out how to retrieve the URL fragment (stuff after the #) in PHP. Seems the query query string doesn't provide access to anything after a pound sign.

    ReplyDelete
  18. It looks like Twitter stopped accepting bridge codes:
    http://groups.google.com/group/twitter-development-talk/browse_thread/thread/50fcc4f28cd6b659/

    ReplyDelete

Post a Comment

Popular posts from this blog

Installing Storytlr the lifestreaming platform

" Storytlr  is an open source lifestreaming and micro blogging platform. You can use it for a single user or it can act as a host for many people all from the same installation." I've been looking for something like Storytlr for a few months now or at least trying to do it with Drupal . While I love Drupal and FeedAPI  I did not want to spend all that time building a lifestream website. So I've been playing around with Storytlr instead and found it very easy. Here is how I got it up and running on a Ubuntu EC2 server. You can also check out the official Storytlr install instructions . Assumptions: LAMP stack installed and running. Domain setup for a directory. MySQL database and user ready to go. Lets get started! Get the code : wget http://storytlr.googlecode.com/files/storytlr-0.9.2.tgz tar -xvzf storytlr-0.9.2.tgz You can find out the  latest stable release  on Storytlr's downloads page. Import the database : Within protected/install is database.sq

Sync is currently experiencing problems

Update : I now recommend you install Google Chrome  and  disable  the built in Browser as it supports encrypting all synced data. After picking up a gorgeous  Galaxy Nexus yesterday I was running into an issue where my browser data wasn't syncing to the phone. After a little Googling I found this is commonly caused by having all of my synced Chrome data encrypted instead of the default of only encrypting the passwords. These are the steps I went through to get my dat syncing again without losing any of it. The exact error I was getting was "Sync is currently experiencing problems. It will be back shortly." In Google Chrome open the personal stuff settings page by clicking this link or by opening the wrench menu, and click on "signed in with example@gmail.com".  Hit "disconnect your Google Account" to temporarily disable syncing from your browser. Visit the Google Dashboard and "Stop sync and delete data from Google". I waite

A month of Flutter: a look back

Originally published on bendyworks.com . This is it. 31 blog posts in 31 days. Writing  a month of flutter  has been a ton of work but also lots of fun and a good learning experience. I really appreciate how supportive and and positive everyone as been. Publishing experience For the series I've been posting on  bendyworks.com ,  DEV ,  my personal blog , and  Medium . After publishing to these sites, I would put the Bendyworks link on  Twitter ,  Reddit , and the  Flutter Study Group Slack . Posting to DEV was easy as they use Markdown just like the Bendworks blog. DEV also has built in support for a  series of posts  so it's easy to read the entire series. I did have to manually upload any embedded images. DEV also has a number of  liquid tags  for embedding things like GitHub issues that I didn't make as much use of as I should have. Blogger is rich text so it was easy to copy/paste the rendered posts. This would hotlink all the images though so I had to rem