Hacking Twitter @Anywhere's authentication

OAuth logo
Twitter @Anywhere uses the @OAuth 2 draft (or at least some of it) for authentication and access so I started poking around to see what it supports.

First lets get an oauth_access_token. For OAuth 2 the oauth_access_tokens are short lived and will usually only be valid for a couple of hours. Visit http://abrah.am (or any other @Anywhere enabled site) click on the "Follow @abraham on Twitter" button. This will create a popup where you will log into twitter.com and connect with the @Anywhere application.

Twitter Anywhere authentication popup
@Anywhere authentication window

The @Anywhere application is now authorized to act on behalf of your Twitter application and there is an oauth_access_token in your browsers localStorage as twttr_anywhere. You can use the following JavaScript command to retrieve your oauth_access_token. It works in Google Chrome's built in console, Firebug's console in Firefox and I'm sure other browsers as well.


*Note that the oauth_access_token can be used by itself to act as your Twitter credentials so don't go slinging it around the internet.

Now you have the oauth_access_token what to do with it? Make HTTP request to api.twitter.com over SSL.


What about POSTs? Yep those work too.


Now lets have a look at a method of getting the oauth_access_token that is similar the standard OAuth flow. Redirect a user to https://oauth.twitter.com/2/authorize with three paramaters:

  • oauth_callback_url=http://abrah.am/ - The domain and subdomain must be registered with the Twitter
  • oauth_mode=flow_web_client - Twitter should observe a browser redirect flow
  • oauth_client_identifier=9QR94sYuXI3j6XkYrr1Ybw - The application's @Anywhere API key


Once the user connects their account with they application they are returned to the oauth_callback_url with an oauth_access_token in the url fragment.


The fragment also contains an oauth_bridge_code which can be used to exchange the temporary 2.0 oauth_access_token for a long lasting 1.0 oauth_token. Subscribe to the RSS feed to get notified when that post is published.

Update: Checkout the post on using Twitter Anywhere bridge codes.

Keep in mind that:
  • OAuth 2 access tokens are short lived
  • OAuth 2 access tokens are all that is needed to read and write your accounts Twitter data
  • Anywhere was launched several months ago and the OAuth 2 spec has evolved a lot since then
  • This is an internal authentication method and likely to change in the future

Let me know what you think of OAuth 2 in the comments.