Skip to main content

Sneak peek at Twitter's browserless OAuth credentials exchange method

Over the past couple of months the Twitter API Google Group has been overflowing with more and more disgruntled developers complaining about lack of bug fixes, slow rollout of promised features, no mobile interface for OAuth, etc. (The list goes on and on) Well I'm happy to say Twitter appears to be almost done with one much requested feature: browserless OAuth credentials exchange. It was hinted that Seesmic Look was using said exchange so today I took a peek at how Look worked behind the scenes.

To start off Look is using the standard oauth/access_token endpoint on the new subdomain.

In addition to the standard POST headers, Look adds several values that include a username and password for the specific user.

The return value is an access_token as expected plus x_auth_expires whose meaning I can only guess at.

I didn't bother to try the exchange with my own consumer key but I would assume access is limited to specific partners for now.

As excited as I am for using browserless OAuth I'm afraid developers with be lazy and implement the credential exchange instead of the full OAuth flow even in environments well suited to jumping from application to browser.

What do you think of the credentials exchange method?

UPDATE: TweetDeck is also using the new OAuth method.
UPDATE2: The xAuth documentation is live.


  1. I'm assuming you know about this, but in case not...

    Aral's OAuth post from today ( links to a "xAuth" standards draft ( ) which describes something similar to (or precisely) what you found, described above.

  2. In answer to your "x_auth_expires=0" question:

    o x_auth_expires - a timestamp, in seconds since 1970-01-01T00:00,
    at which the Access Token expires, or 0 if no expiry is specified.


  3. Wait a minute. Isn't the *whole point* of OAuth to avoid credential exchange? Am I missing something here or is this... I don't even know what to call it.

  4. @John: xAuth is designed for use in mobile and destkop environments where there is now web browser or where user experience is prohibitive to use of the application.


Post a Comment

Popular posts from this blog

Installing Storytlr the lifestreaming platform

" Storytlr  is an open source lifestreaming and micro blogging platform. You can use it for a single user or it can act as a host for many people all from the same installation." I've been looking for something like Storytlr for a few months now or at least trying to do it with Drupal . While I love Drupal and FeedAPI  I did not want to spend all that time building a lifestream website. So I've been playing around with Storytlr instead and found it very easy. Here is how I got it up and running on a Ubuntu EC2 server. You can also check out the official Storytlr install instructions . Assumptions: LAMP stack installed and running. Domain setup for a directory. MySQL database and user ready to go. Lets get started! Get the code : wget tar -xvzf storytlr-0.9.2.tgz You can find out the  latest stable release  on Storytlr's downloads page. Import the database : Within protected/install is database.sq

Google+ could bring world peace

Google is the largest web application on the planet with over one billion unique visiters each month. This means that one in seven people on the entire planet used Google over the last 30 days. Having such a massive user base means that someone from pretty much every single geographical, political, and religious group is a user of Google. Once Google+  hits a billion our pals from Mountain View will be in the unique position of potentially bringing about world peace. And I don't mean bringing FarmVille to Google+. How so, you might ask? Well Google is collecting so much personal information that they can create incredibly accurate profiles of personal beliefs and comfort zones. With these personas, the 900,000 machines , a few algorithms, and some time Google can connect people one follow at a time that are of similar interests but ever so slightly contrarian. Eventually even the most conservative views will become more open and accepting just through the everyday contact. On

Sync is currently experiencing problems

Update : I now recommend you install Google Chrome  and  disable  the built in Browser as it supports encrypting all synced data. After picking up a gorgeous  Galaxy Nexus yesterday I was running into an issue where my browser data wasn't syncing to the phone. After a little Googling I found this is commonly caused by having all of my synced Chrome data encrypted instead of the default of only encrypting the passwords. These are the steps I went through to get my dat syncing again without losing any of it. The exact error I was getting was "Sync is currently experiencing problems. It will be back shortly." In Google Chrome open the personal stuff settings page by clicking this link or by opening the wrench menu, and click on "signed in with".  Hit "disconnect your Google Account" to temporarily disable syncing from your browser. Visit the Google Dashboard and "Stop sync and delete data from Google". I waite