Skip to main content

Hacking Twitter @Anywhere's authentication

OAuth logo
Twitter @Anywhere uses the @OAuth 2 draft (or at least some of it) for authentication and access so I started poking around to see what it supports.

First lets get an oauth_access_token. For OAuth 2 the oauth_access_tokens are short lived and will usually only be valid for a couple of hours. Visit http://abrah.am (or any other @Anywhere enabled site) click on the "Follow @abraham on Twitter" button. This will create a popup where you will log into twitter.com and connect with the @Anywhere application.

Twitter Anywhere authentication popup
@Anywhere authentication window

The @Anywhere application is now authorized to act on behalf of your Twitter application and there is an oauth_access_token in your browsers localStorage as twttr_anywhere. You can use the following JavaScript command to retrieve your oauth_access_token. It works in Google Chrome's built in console, Firebug's console in Firefox and I'm sure other browsers as well.


*Note that the oauth_access_token can be used by itself to act as your Twitter credentials so don't go slinging it around the internet.

Now you have the oauth_access_token what to do with it? Make HTTP request to api.twitter.com over SSL.


What about POSTs? Yep those work too.


Now lets have a look at a method of getting the oauth_access_token that is similar the standard OAuth flow. Redirect a user to https://oauth.twitter.com/2/authorize with three paramaters:

  • oauth_callback_url=http://abrah.am/ - The domain and subdomain must be registered with the Twitter
  • oauth_mode=flow_web_client - Twitter should observe a browser redirect flow
  • oauth_client_identifier=9QR94sYuXI3j6XkYrr1Ybw - The application's @Anywhere API key


Once the user connects their account with they application they are returned to the oauth_callback_url with an oauth_access_token in the url fragment.


The fragment also contains an oauth_bridge_code which can be used to exchange the temporary 2.0 oauth_access_token for a long lasting 1.0 oauth_token. Subscribe to the RSS feed to get notified when that post is published.

Update: Checkout the post on using Twitter Anywhere bridge codes.

Keep in mind that:
  • OAuth 2 access tokens are short lived
  • OAuth 2 access tokens are all that is needed to read and write your accounts Twitter data
  • Anywhere was launched several months ago and the OAuth 2 spec has evolved a lot since then
  • This is an internal authentication method and likely to change in the future

Let me know what you think of OAuth 2 in the comments.

Comments

  1. I don't get it? So you're saying if you authorize an app to work on behalf of your twitter account it can do stuff on behalf of your twitter account? Or am I missing something?

    ReplyDelete
  2. @JacoPretorius: don't understand what you are asking but yes generally when you authorize an application that application can do stuff on behalf of your Twitter account.

    ReplyDelete
  3. This is a very helpful write-up. Thanks.

    Right now, I'm trying to figure out how to retrieve the URL fragment (stuff after the #) in PHP. Seems the query query string doesn't provide access to anything after a pound sign.

    ReplyDelete
  4. @dharmesh: The majority of servers don't provide access to the fragment so you will have to use JavaScript to save it to a cookie or send it back to server.

    ReplyDelete
  5. @abraham: Regarding the location hash -- I believe this is not a server issue (that they don't provide the info) but rather that Browsers don't sent the location hash (#) part of the URL to servers because historically the #info was used for on-page anchors. Now with in-Browser Web apps using in-situ Javascript smarts and doing routing with the location hash (cf. Sammy), it would be nice for Browsers to send the location hash content to the server, though I doubt that will ever happen.

    ReplyDelete
  6. @Zhami: Ah yes. I incorrectly assumed it was a server issue. http://en.wikipedia.org/wiki/Fragment_identifier#Processing

    ReplyDelete
  7. Okay, so I get that you can call the OAuth 1.0 access_token method with the bridge code to get a permanent and long lasting token, but how can I obtain the bridge code via the normal @anywhere authentication mechanism? I see it appear in the popup just after authentication, but the window disappears and I don't know how or where to get it from after that.

    ReplyDelete
  8. Hah. Never mind. Found it here: http://www.slideshare.net/themattharris/twitterapi-at-socialapp-workshop-4829646

    (Go to slide 51).

    ReplyDelete
  9. @Otto: I have a blog post coming that covers all of that in detail.

    ReplyDelete
  10. Hi
    I have an application that when we try to post a tweet, it uses OAuth to allow the user to "Auth" the connection. It's then stored in the twitter profile for that user as a connection (great).

    However, every time they post a new tweet, it continues to ask them to Auth.

    I was under the impression that once the user had "Auth'd" once, they shouldn't be asked every time.

    What are we doing wrong?

    Your help is much appreciated.

    ReplyDelete
  11. Mike: it depends on how you are authenticating. @anywhere for example requires users to connect every couple of hours. That is how Twitter has it set up and it can not be changed. Sign in with Twitter depends on the websites session handling in which case cookies might not be getting set properly or might be to short livid.

    ReplyDelete
  12. have tried it. but isnot working. it doesnt work now, right?

    ReplyDelete
  13. Twitter changed how @anywhere authenticates so this doesn't work anymore. They might have just changed it but I have not had time to see what they changed it.

    ReplyDelete
  14. Twitter changed how @anywhere authenticates so this doesn't work anymore. They might have just changed it but I have not had time to see what they changed it.

    ReplyDelete
  15. Mike: it depends on how you are authenticating. @anywhere for example requires users to connect every couple of hours. That is how Twitter has it set up and it can not be changed. Sign in with Twitter depends on the websites session handling in which case cookies might not be getting set properly or might be to short livid.

    ReplyDelete
  16. Hah. Never mind. Found it here: http://www.slideshare.net/themattharris/twitterapi-at-socialapp-workshop-4829646

    (Go to slide 51).

    ReplyDelete
  17. This is a very helpful write-up. Thanks.

    Right now, I'm trying to figure out how to retrieve the URL fragment (stuff after the #) in PHP. Seems the query query string doesn't provide access to anything after a pound sign.

    ReplyDelete
  18. It looks like Twitter stopped accepting bridge codes:
    http://groups.google.com/group/twitter-development-talk/browse_thread/thread/50fcc4f28cd6b659/

    ReplyDelete

Post a Comment

Popular posts from this blog

CloudSense: the Future of Advertising

With the whole cloud taking off and more and more services switching to a push it into the cloud, leave it there until you need it, and pull it out model. I can only imagine what will be switching to this model soon. Oh wait. I can imagine.



Advertising!


Reading an article about how Avril Lavigne is supposed to have a $2 million check "appear" in her mailbox because of the absurd number of streams her videos get from YouTube got me thinking about creator compensation. The problem Avril is having is, a) Google wants to keep the money, and b) Google is having trouble figuring out how to monetize video streams. But on a grander scale it is whoever puts the ads on the page that gets the money not the content creator.

Little known @Twitter and @TwitterAPI tips and tricks

Be sure to comeback as new tips and tricks get added. If you know of anything I missed be sure to let me know.

Static URL for profile images based on screen_name:

https://api.twitter.com/1/users/profile_image/abraham

* This performs a http redirect to the actual profile image URL. Currently https redirects to http. You can also add "?size={mini | bigger | normal}" to get specific sizes.

Redirect to profile based on user_id:

https://twitter.com/account/redirect_by_id?id=9436992

In_reply_to_status_id mentions:

https://api.twitter.com/1/statuses/update.json?status=reply+to+@abraham&in_reply_to_status_id=12410413197

* In the web interface new mentions are only replies if they start with @screen_name. By pushing @screen_name further along in the string your followers who do not follow @screen_name will still see the status.

Profile image sizes:

http://a3.twimg.com/profile_images/54160223/chart-black-small.png

* By default you get the original image size you can add _mini, _normal, and …

Installing Storytlr the lifestreaming platform

"Storytlr is an open source lifestreaming and micro blogging platform. You can use it for a single user or it can act as a host for many people all from the same installation."

I've been looking for something like Storytlr for a few months now or at least trying to do it with Drupal. While I love Drupal and FeedAPI I did not want to spend all that time building a lifestream website. So I've been playing around with Storytlr instead and found it very easy. Here is how I got it up and running on a Ubuntu EC2 server. You can also check out the official Storytlr install instructions.

Assumptions:
LAMP stack installed and running.Domain setup for a directory.MySQL database and user ready to go.Lets get started!
Get the code: wget http://storytlr.googlecode.com/files/storytlr-0.9.2.tgz tar -xvzf storytlr-0.9.2.tgzYou can find out the latest stable release on Storytlr's downloads page.

Import the database:
Within protected/install is database.sql. Import this into your empt…