Skip to main content

Sneak peek at Twitter's browserless OAuth credentials exchange method

Over the past couple of months the Twitter API Google Group has been overflowing with more and more disgruntled developers complaining about lack of bug fixes, slow rollout of promised features, no mobile interface for OAuth, etc. (The list goes on and on) Well I'm happy to say Twitter appears to be almost done with one much requested feature: browserless OAuth credentials exchange. It was hinted that Seesmic Look was using said exchange so today I took a peek at how Look worked behind the scenes.

To start off Look is using the standard oauth/access_token endpoint on the new https://api.twitter.com subdomain.

In addition to the standard POST headers, Look adds several values that include a username and password for the specific user.


The return value is an access_token as expected plus x_auth_expires whose meaning I can only guess at.


I didn't bother to try the exchange with my own consumer key but I would assume access is limited to specific partners for now.

As excited as I am for using browserless OAuth I'm afraid developers with be lazy and implement the credential exchange instead of the full OAuth flow even in environments well suited to jumping from application to browser.

What do you think of the credentials exchange method?

UPDATE: TweetDeck is also using the new OAuth method.
UPDATE2: The xAuth documentation is live.

Comments

  1. I'm assuming you know about this, but in case not...

    Aral's OAuth post from today ( http://aralbalkan.com/3057) links to a "xAuth" standards draft ( http://tools.ietf.org/html/draft-dehora-farrell-oauth-accesstoken-creds-01 ) which describes something similar to (or precisely) what you found, described above.

    ReplyDelete
  2. In answer to your "x_auth_expires=0" question:

    o x_auth_expires - a timestamp, in seconds since 1970-01-01T00:00,
    at which the Access Token expires, or 0 if no expiry is specified.

    Isaiah

    ReplyDelete
  3. Wait a minute. Isn't the *whole point* of OAuth to avoid credential exchange? Am I missing something here or is this... I don't even know what to call it.

    ReplyDelete
  4. @John: xAuth is designed for use in mobile and destkop environments where there is now web browser or where user experience is prohibitive to use of the application.

    ReplyDelete

Post a Comment

Popular posts from this blog

CloudSense: the Future of Advertising

With the whole cloud taking off and more and more services switching to a push it into the cloud, leave it there until you need it, and pull it out model. I can only imagine what will be switching to this model soon. Oh wait. I can imagine.



Advertising!


Reading an article about how Avril Lavigne is supposed to have a $2 million check "appear" in her mailbox because of the absurd number of streams her videos get from YouTube got me thinking about creator compensation. The problem Avril is having is, a) Google wants to keep the money, and b) Google is having trouble figuring out how to monetize video streams. But on a grander scale it is whoever puts the ads on the page that gets the money not the content creator.

Little known @Twitter and @TwitterAPI tips and tricks

Be sure to comeback as new tips and tricks get added. If you know of anything I missed be sure to let me know.

Static URL for profile images based on screen_name:

https://api.twitter.com/1/users/profile_image/abraham

* This performs a http redirect to the actual profile image URL. Currently https redirects to http. You can also add "?size={mini | bigger | normal}" to get specific sizes.

Redirect to profile based on user_id:

https://twitter.com/account/redirect_by_id?id=9436992

In_reply_to_status_id mentions:

https://api.twitter.com/1/statuses/update.json?status=reply+to+@abraham&in_reply_to_status_id=12410413197

* In the web interface new mentions are only replies if they start with @screen_name. By pushing @screen_name further along in the string your followers who do not follow @screen_name will still see the status.

Profile image sizes:

http://a3.twimg.com/profile_images/54160223/chart-black-small.png

* By default you get the original image size you can add _mini, _normal, and …

Installing Storytlr the lifestreaming platform

"Storytlr is an open source lifestreaming and micro blogging platform. You can use it for a single user or it can act as a host for many people all from the same installation."

I've been looking for something like Storytlr for a few months now or at least trying to do it with Drupal. While I love Drupal and FeedAPI I did not want to spend all that time building a lifestream website. So I've been playing around with Storytlr instead and found it very easy. Here is how I got it up and running on a Ubuntu EC2 server. You can also check out the official Storytlr install instructions.

Assumptions:
LAMP stack installed and running.Domain setup for a directory.MySQL database and user ready to go.Lets get started!
Get the code: wget http://storytlr.googlecode.com/files/storytlr-0.9.2.tgz tar -xvzf storytlr-0.9.2.tgzYou can find out the latest stable release on Storytlr's downloads page.

Import the database:
Within protected/install is database.sql. Import this into your empt…