Skip to main content

Sneak peek at Twitter's browserless OAuth credentials exchange method

Over the past couple of months the Twitter API Google Group has been overflowing with more and more disgruntled developers complaining about lack of bug fixes, slow rollout of promised features, no mobile interface for OAuth, etc. (The list goes on and on) Well I'm happy to say Twitter appears to be almost done with one much requested feature: browserless OAuth credentials exchange. It was hinted that Seesmic Look was using said exchange so today I took a peek at how Look worked behind the scenes.

To start off Look is using the standard oauth/access_token endpoint on the new https://api.twitter.com subdomain.

In addition to the standard POST headers, Look adds several values that include a username and password for the specific user.


The return value is an access_token as expected plus x_auth_expires whose meaning I can only guess at.


I didn't bother to try the exchange with my own consumer key but I would assume access is limited to specific partners for now.

As excited as I am for using browserless OAuth I'm afraid developers with be lazy and implement the credential exchange instead of the full OAuth flow even in environments well suited to jumping from application to browser.

What do you think of the credentials exchange method?

UPDATE: TweetDeck is also using the new OAuth method.
UPDATE2: The xAuth documentation is live.

Comments

  1. I'm assuming you know about this, but in case not...

    Aral's OAuth post from today ( http://aralbalkan.com/3057) links to a "xAuth" standards draft ( http://tools.ietf.org/html/draft-dehora-farrell-oauth-accesstoken-creds-01 ) which describes something similar to (or precisely) what you found, described above.

    ReplyDelete
  2. In answer to your "x_auth_expires=0" question:

    o x_auth_expires - a timestamp, in seconds since 1970-01-01T00:00,
    at which the Access Token expires, or 0 if no expiry is specified.

    Isaiah

    ReplyDelete
  3. Wait a minute. Isn't the *whole point* of OAuth to avoid credential exchange? Am I missing something here or is this... I don't even know what to call it.

    ReplyDelete
  4. @John: xAuth is designed for use in mobile and destkop environments where there is now web browser or where user experience is prohibitive to use of the application.

    ReplyDelete

Post a Comment

Popular posts from this blog

Installing Storytlr the lifestreaming platform

" Storytlr  is an open source lifestreaming and micro blogging platform. You can use it for a single user or it can act as a host for many people all from the same installation." I've been looking for something like Storytlr for a few months now or at least trying to do it with Drupal . While I love Drupal and FeedAPI  I did not want to spend all that time building a lifestream website. So I've been playing around with Storytlr instead and found it very easy. Here is how I got it up and running on a Ubuntu EC2 server. You can also check out the official Storytlr install instructions . Assumptions: LAMP stack installed and running. Domain setup for a directory. MySQL database and user ready to go. Lets get started! Get the code : wget http://storytlr.googlecode.com/files/storytlr-0.9.2.tgz tar -xvzf storytlr-0.9.2.tgz You can find out the  latest stable release  on Storytlr's downloads page. Import the database : Within protected/install is database.sq

Sync is currently experiencing problems

Update : I now recommend you install Google Chrome  and  disable  the built in Browser as it supports encrypting all synced data. After picking up a gorgeous  Galaxy Nexus yesterday I was running into an issue where my browser data wasn't syncing to the phone. After a little Googling I found this is commonly caused by having all of my synced Chrome data encrypted instead of the default of only encrypting the passwords. These are the steps I went through to get my dat syncing again without losing any of it. The exact error I was getting was "Sync is currently experiencing problems. It will be back shortly." In Google Chrome open the personal stuff settings page by clicking this link or by opening the wrench menu, and click on "signed in with example@gmail.com".  Hit "disconnect your Google Account" to temporarily disable syncing from your browser. Visit the Google Dashboard and "Stop sync and delete data from Google". I waite

A month of Flutter: a look back

Originally published on bendyworks.com . This is it. 31 blog posts in 31 days. Writing  a month of flutter  has been a ton of work but also lots of fun and a good learning experience. I really appreciate how supportive and and positive everyone as been. Publishing experience For the series I've been posting on  bendyworks.com ,  DEV ,  my personal blog , and  Medium . After publishing to these sites, I would put the Bendyworks link on  Twitter ,  Reddit , and the  Flutter Study Group Slack . Posting to DEV was easy as they use Markdown just like the Bendworks blog. DEV also has built in support for a  series of posts  so it's easy to read the entire series. I did have to manually upload any embedded images. DEV also has a number of  liquid tags  for embedding things like GitHub issues that I didn't make as much use of as I should have. Blogger is rich text so it was easy to copy/paste the rendered posts. This would hotlink all the images though so I had to rem