Skip to main content

Hacking Twitter @Anywhere's authentication

OAuth logo
Twitter @Anywhere uses the @OAuth 2 draft (or at least some of it) for authentication and access so I started poking around to see what it supports.

First lets get an oauth_access_token. For OAuth 2 the oauth_access_tokens are short lived and will usually only be valid for a couple of hours. Visit http://abrah.am (or any other @Anywhere enabled site) click on the "Follow @abraham on Twitter" button. This will create a popup where you will log into twitter.com and connect with the @Anywhere application.

Twitter Anywhere authentication popup
@Anywhere authentication window

The @Anywhere application is now authorized to act on behalf of your Twitter application and there is an oauth_access_token in your browsers localStorage as twttr_anywhere. You can use the following JavaScript command to retrieve your oauth_access_token. It works in Google Chrome's built in console, Firebug's console in Firefox and I'm sure other browsers as well.


*Note that the oauth_access_token can be used by itself to act as your Twitter credentials so don't go slinging it around the internet.

Now you have the oauth_access_token what to do with it? Make HTTP request to api.twitter.com over SSL.


What about POSTs? Yep those work too.


Now lets have a look at a method of getting the oauth_access_token that is similar the standard OAuth flow. Redirect a user to https://oauth.twitter.com/2/authorize with three paramaters:

  • oauth_callback_url=http://abrah.am/ - The domain and subdomain must be registered with the Twitter
  • oauth_mode=flow_web_client - Twitter should observe a browser redirect flow
  • oauth_client_identifier=9QR94sYuXI3j6XkYrr1Ybw - The application's @Anywhere API key


Once the user connects their account with they application they are returned to the oauth_callback_url with an oauth_access_token in the url fragment.


The fragment also contains an oauth_bridge_code which can be used to exchange the temporary 2.0 oauth_access_token for a long lasting 1.0 oauth_token. Subscribe to the RSS feed to get notified when that post is published.

Update: Checkout the post on using Twitter Anywhere bridge codes.

Keep in mind that:
  • OAuth 2 access tokens are short lived
  • OAuth 2 access tokens are all that is needed to read and write your accounts Twitter data
  • Anywhere was launched several months ago and the OAuth 2 spec has evolved a lot since then
  • This is an internal authentication method and likely to change in the future

Let me know what you think of OAuth 2 in the comments.
Labels:

Comments

  1. AnonymousThursday, September 02, 2010

    I don't get it? So you're saying if you authorize an app to work on behalf of your twitter account it can do stuff on behalf of your twitter account? Or am I missing something?

    ReplyDelete
  2. Abraham WilliamsThursday, September 02, 2010

    @JacoPretorius: don't understand what you are asking but yes generally when you authorize an application that application can do stuff on behalf of your Twitter account.

    ReplyDelete
  3. Dharmesh ShahThursday, September 09, 2010

    This is a very helpful write-up. Thanks.

    Right now, I'm trying to figure out how to retrieve the URL fragment (stuff after the #) in PHP. Seems the query query string doesn't provide access to anything after a pound sign.

    ReplyDelete
  4. Abraham WilliamsThursday, September 09, 2010

    @dharmesh: The majority of servers don't provide access to the fragment so you will have to use JavaScript to save it to a cookie or send it back to server.

    ReplyDelete
  5. ZhamiFriday, September 10, 2010

    @abraham: Regarding the location hash -- I believe this is not a server issue (that they don't provide the info) but rather that Browsers don't sent the location hash (#) part of the URL to servers because historically the #info was used for on-page anchors. Now with in-Browser Web apps using in-situ Javascript smarts and doing routing with the location hash (cf. Sammy), it would be nice for Browsers to send the location hash content to the server, though I doubt that will ever happen.

    ReplyDelete
  6. Abraham WilliamsFriday, September 10, 2010

    @Zhami: Ah yes. I incorrectly assumed it was a server issue. http://en.wikipedia.org/wiki/Fragment_identifier#Processing

    ReplyDelete
  7. OttoFriday, September 10, 2010

    Okay, so I get that you can call the OAuth 1.0 access_token method with the bridge code to get a permanent and long lasting token, but how can I obtain the bridge code via the normal @anywhere authentication mechanism? I see it appear in the popup just after authentication, but the window disappears and I don't know how or where to get it from after that.

    ReplyDelete
  8. OttoFriday, September 10, 2010

    Hah. Never mind. Found it here: http://www.slideshare.net/themattharris/twitterapi-at-socialapp-workshop-4829646

    (Go to slide 51).

    ReplyDelete
  9. Abraham WilliamsFriday, September 10, 2010

    @Otto: I have a blog post coming that covers all of that in detail.

    ReplyDelete
  10. UnknownWednesday, November 10, 2010

    Hi
    I have an application that when we try to post a tweet, it uses OAuth to allow the user to "Auth" the connection. It's then stored in the twitter profile for that user as a connection (great).

    However, every time they post a new tweet, it continues to ask them to Auth.

    I was under the impression that once the user had "Auth'd" once, they shouldn't be asked every time.

    What are we doing wrong?

    Your help is much appreciated.

    ReplyDelete
  11. Abraham WilliamsWednesday, November 10, 2010

    Mike: it depends on how you are authenticating. @anywhere for example requires users to connect every couple of hours. That is how Twitter has it set up and it can not be changed. Sign in with Twitter depends on the websites session handling in which case cookies might not be getting set properly or might be to short livid.

    ReplyDelete
  12. abcMonday, March 14, 2011

    have tried it. but isnot working. it doesnt work now, right?

    ReplyDelete
  13. Abraham WilliamsWednesday, April 20, 2011

    Twitter changed how @anywhere authenticates so this doesn't work anymore. They might have just changed it but I have not had time to see what they changed it.

    ReplyDelete
  14. abrahamSaturday, May 14, 2011

    Twitter changed how @anywhere authenticates so this doesn't work anymore. They might have just changed it but I have not had time to see what they changed it.

    ReplyDelete
  15. abrahamSaturday, May 14, 2011

    Mike: it depends on how you are authenticating. @anywhere for example requires users to connect every couple of hours. That is how Twitter has it set up and it can not be changed. Sign in with Twitter depends on the websites session handling in which case cookies might not be getting set properly or might be to short livid.

    ReplyDelete
  16. OttoSaturday, May 14, 2011

    Hah. Never mind. Found it here: http://www.slideshare.net/themattharris/twitterapi-at-socialapp-workshop-4829646

    (Go to slide 51).

    ReplyDelete
  17. Dharmesh ShahSaturday, May 14, 2011

    This is a very helpful write-up. Thanks.

    Right now, I'm trying to figure out how to retrieve the URL fragment (stuff after the #) in PHP. Seems the query query string doesn't provide access to anything after a pound sign.

    ReplyDelete
  18. AnonymousThursday, June 16, 2011

    It looks like Twitter stopped accepting bridge codes:
    http://groups.google.com/group/twitter-development-talk/browse_thread/thread/50fcc4f28cd6b659/

    ReplyDelete

Post a Comment

Popular posts from this blog

Installing Storytlr the lifestreaming platform

" Storytlr  is an open source lifestreaming and micro blogging platform. You can use it for a single user or it can act as a host for many people all from the same installation." I've been looking for something like Storytlr for a few months now or at least trying to do it with Drupal . While I love Drupal and FeedAPI  I did not want to spend all that time building a lifestream website. So I've been playing around with Storytlr instead and found it very easy. Here is how I got it up and running on a Ubuntu EC2 server. You can also check out the official Storytlr install instructions . Assumptions: LAMP stack installed and running. Domain setup for a directory. MySQL database and user ready to go. Lets get started! Get the code : wget http://storytlr.googlecode.com/files/storytlr-0.9.2.tgz tar -xvzf storytlr-0.9.2.tgz You can find out the  latest stable release  on Storytlr's downloads page. Import the database : Within protected/install is database.sq
6 comments
Read more

Google+ could bring world peace

Google is the largest web application on the planet with over one billion unique visiters each month. This means that one in seven people on the entire planet used Google over the last 30 days. Having such a massive user base means that someone from pretty much every single geographical, political, and religious group is a user of Google. Once Google+  hits a billion our pals from Mountain View will be in the unique position of potentially bringing about world peace. And I don't mean bringing FarmVille to Google+. How so, you might ask? Well Google is collecting so much personal information that they can create incredibly accurate profiles of personal beliefs and comfort zones. With these personas, the 900,000 machines , a few algorithms, and some time Google can connect people one follow at a time that are of similar interests but ever so slightly contrarian. Eventually even the most conservative views will become more open and accepting just through the everyday contact. On
1 comment
Read more

Sync is currently experiencing problems

Update : I now recommend you install Google Chrome  and  disable  the built in Browser as it supports encrypting all synced data. After picking up a gorgeous  Galaxy Nexus yesterday I was running into an issue where my browser data wasn't syncing to the phone. After a little Googling I found this is commonly caused by having all of my synced Chrome data encrypted instead of the default of only encrypting the passwords. These are the steps I went through to get my dat syncing again without losing any of it. The exact error I was getting was "Sync is currently experiencing problems. It will be back shortly." In Google Chrome open the personal stuff settings page by clicking this link or by opening the wrench menu, and click on "signed in with example@gmail.com".  Hit "disconnect your Google Account" to temporarily disable syncing from your browser. Visit the Google Dashboard and "Stop sync and delete data from Google". I waite
31 comments
Read more