Re: [twitter-dev] Which api url to use?
Its actually listed on all of the twitter api method pages, except for the OAuth methods. Ryan Sent from my DROID On Feb 22, 2010 1:58 PM, Isaiah Carew isa...@mac.com wrote: i'm bound to forget this in about an hour. is this old/new versioned/not listed somewhere in the API docs? On Feb 22, 2010, at 9:42 AM, Ryan Alford wrote: Yes, those are the ones I am talking about. ...
Re: [twitter-dev] Which api url to use?
The documentation for the 4 OAuth methods do not show the versioning URL. I didn't know if they were moved over or not. Ryan Sent from my DROID On Feb 22, 2010 2:08 PM, Raffi Krikorian ra...@twitter.com wrote: the API wiki docs were painstakingly converted to use the api.twitter.com/1endpoint. if you spot a place we missed, feel free to pass it along! thanks! On Mon, Feb 22, 2010 at 10:33 AM, Isaiah Carew isa...@mac.com wrote: i'm bound to forget thi...
Re: [twitter-dev] Re: oauth request token failing
Can you post the string that you hash to create the signature? Ryan On Thu, Feb 18, 2010 at 8:42 AM, Berto mstbe...@gmail.com wrote: Even with the URL like this: http://twitter.com/oauth/request_token?oauth_consumer_key= valueoauth_nonce=1266501098oauth_signature_method=HMAC-SHA1oauth_timestamp=1266500348oauth_version=1.0oauth_signature=eGALeAVpxt4CB%2FuHfkLq51%2FWXRk%3D It still fails for me. I've gotta be missing something obvious. Does anything need to go into my header? On Feb 17, 9:47 pm, Ryan Alford ryanalford...@gmail.com wrote: You order all parameters EXCEPT the signature, then create the signature, then append the signature to the end. All other parameters should be in order. Ryan On Wed, Feb 17, 2010 at 6:42 PM, Berto mstbe...@gmail.com wrote: I thought that was only for the signature which is in the right order? Ryan Alford wrote: Your querystring parameters are in the wrong order. You have the oauth_nonce AFTER oauth_timestamp. It needs to be before it. The parameters must be in order. Ryan Sent from my DROID On Feb 17, 2010 6:18 PM, Berto mstbe...@gmail.com wrote: To answer the first email, I was doing that so I could put it in the request header's authorization field to get this effect: (Taken from oauth.net) Authorization: OAuth realm=http://sp.example.com/;, oauth_consumer_key=0685bd9184jfhq22, oauth_token=ad180jjd733klru7, oauth_signature_method=HMAC-SHA1, oauth_signature=wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D, oauth_timestamp=137131200, oauth_nonce=4572616e48616d6d65724c61686176, oauth_version=1.0 Then, I thought it might need to go into the WWW-Authenticate field as opposed to the Authorization field so I tried that too with no success. I've also just tried formatting them as GET parameters and attaching them to the request URL, but that isn't working either. It would look like: http://twitter.com/oauth/request_token?oauth_consumer_key= valueoauth_signature_method=HMAC-SHA1oauth_timestamp=1266440918oauth_nonce=1266440928oauth_version=1.0oauth_signature=l%2BYDrTyWGpvDu3owDlVQLakzVns%3D On Feb 17, 3:52 pm, Ryan Alford ryanalford...@gmail.com wrote: Can you post the URL with querys... On Wed, Feb 17, 2010 at 4:51 PM, Ryan Alford ryanalford...@gmail.com wrote: Why are you doing this? StringBuilder params = new StringBuilder(); ... On Wed, Feb 17, 2010 at 2:37 PM, Berto mstbe...@gmail.com wrote: Hey guys, I'm w...
Re: [twitter-dev] Re: oauth request token failing
That looks fine. Are you using the Consumer Secret as the key to the hash? Ryan On Thu, Feb 18, 2010 at 9:10 AM, Berto mstbe...@gmail.com wrote: GEThttp%3A%2F%2Ftwitter.com%2Foauth%2Frequest_tokenoauth_consumer_key %3D8hvUTsGttoOBN2ygbDVJw%26oauth_nonce %3D1266502068%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp %3D1266501208%26oauth_version%3D1.0 On Feb 18, 8:04 am, Ryan Alford ryanalford...@gmail.com wrote: Can you post the string that you hash to create the signature? Ryan On Thu, Feb 18, 2010 at 8:42 AM, Berto mstbe...@gmail.com wrote: Even with the URL like this: http://twitter.com/oauth/request_token?oauth_consumer_key= valueoauth_nonce=1266501098oauth_signature_method=HMAC-SHA1oauth_timestamp=1266500348oauth_version=1.0oauth_signature=eGALeAVpxt4CB%2FuHfkLq51%2FWXRk%3D It still fails for me. I've gotta be missing something obvious. Does anything need to go into my header? On Feb 17, 9:47 pm, Ryan Alford ryanalford...@gmail.com wrote: You order all parameters EXCEPT the signature, then create the signature, then append the signature to the end. All other parameters should be in order. Ryan On Wed, Feb 17, 2010 at 6:42 PM, Berto mstbe...@gmail.com wrote: I thought that was only for the signature which is in the right order? Ryan Alford wrote: Your querystring parameters are in the wrong order. You have the oauth_nonce AFTER oauth_timestamp. It needs to be before it. The parameters must be in order. Ryan Sent from my DROID On Feb 17, 2010 6:18 PM, Berto mstbe...@gmail.com wrote: To answer the first email, I was doing that so I could put it in the request header's authorization field to get this effect: (Taken from oauth.net) Authorization: OAuth realm=http://sp.example.com/;, oauth_consumer_key=0685bd9184jfhq22, oauth_token=ad180jjd733klru7, oauth_signature_method=HMAC-SHA1, oauth_signature=wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D, oauth_timestamp=137131200, oauth_nonce=4572616e48616d6d65724c61686176, oauth_version=1.0 Then, I thought it might need to go into the WWW-Authenticate field as opposed to the Authorization field so I tried that too with no success. I've also just tried formatting them as GET parameters and attaching them to the request URL, but that isn't working either. It would look like: http://twitter.com/oauth/request_token?oauth_consumer_key= valueoauth_signature_method=HMAC-SHA1oauth_timestamp=1266440918oauth_nonce=1266440928oauth_version=1.0oauth_signature=l%2BYDrTyWGpvDu3owDlVQLakzVns%3D On Feb 17, 3:52 pm, Ryan Alford ryanalford...@gmail.com wrote: Can you post the URL with querys... On Wed, Feb 17, 2010 at 4:51 PM, Ryan Alford ryanalford...@gmail.com wrote: Why are you doing this? StringBuilder params = new StringBuilder(); ... On Wed, Feb 17, 2010 at 2:37 PM, Berto mstbe...@gmail.com wrote: Hey guys, I'm w...
Re: [twitter-dev] Oauth Signatures
I just tried it and I do get the 401 Unauthorized error when I don't normalize the status text. Ryan On Thu, Feb 18, 2010 at 1:07 PM, Dewald Pretorius dpr...@gmail.com wrote: Can computing the OAuth signature on un-normalized tweet text cause Incorrect Signature issues?
Re: [twitter-dev] Re: Oauth Signatures
In my testing, I got the 401 error when posting a simple status such as testing testing instead of normalizing it to testing%20testing. I can't tell if it's the invalid signature error since I can't figure out how to see that in .Net, but I can see that it's the 401: Unauthorized error. Ryan On Thu, Feb 18, 2010 at 3:03 PM, Dewald Pretorius dpr...@gmail.com wrote: Ryan, Is that with just plain ASCII in the update text that you get a 401 when not normalized? The bulk of my signatures work fine, and I'm not normalizing at this point. It's just now and again that Twitter says 401 Invalid signature on a status update. So, I wondering if the text has some strange characters that cause a discrepancy between my sig calc and their sig check. On Feb 18, 3:13 pm, Ryan Alford ryanalford...@gmail.com wrote: I just tried it and I do get the 401 Unauthorized error when I don't normalize the status text. Ryan On Thu, Feb 18, 2010 at 1:07 PM, Dewald Pretorius dpr...@gmail.com wrote: Can computing the OAuth signature on un-normalized tweet text cause Incorrect Signature issues?
Re: [twitter-dev] huge Fail Whale quotient suddenly
Tim, We are working on this for our forthcoming developer site. Mark should be posting to the list in the coming days to get feedback from everyone on what they would like to see. We know it's needed and look forward to finally having something in place. Best, Ryan On Wed, Feb 17, 2010 at 6:54 AM, Tim Haines tmhai...@gmail.com wrote: Hey Raffi, It would probably be helpful for a lot of us if the status blog (or another secondary indicator) was more accurate in terms of being a problem/no problem indicator. Even if it didn't have an indication as to cause or expected time to resolve, just a little flag that said 'we acknowledge an increased error rate right now' it would be helpful. Tim. On Wed, Feb 17, 2010 at 7:27 PM, Raffi Krikorian ra...@twitter.com wrote: yeah - by the time we got ready to put the post up, on this particular issue, we had solved the problem. On Tue, Feb 16, 2010 at 6:30 PM, Abraham Williams 4bra...@gmail.com wrote: Never did get a post on status.twitter.com on this. Abraham On Mon, Feb 15, 2010 at 15:24, Raffi Krikorian ra...@twitter.com wrote: we're aware of the issue and are working on it - i expect a post to status.twitter.com in a bit. On Mon, Feb 15, 2010 at 3:17 PM, Yu-Shan Fung ambivale...@gmail.com wrote: We're seeing the same thing, especially with OAuth. Nothing's posted on status.twitter.com yet. Any updates? Thanks! Yu-Shan On Mon, Feb 15, 2010 at 2:50 PM, Cameron Kaiser spec...@floodgap.com wrote: Over the last few minutes, I'm seeing a huge jump in Fail Whales. What happened? -- personal: http://www.cameronkaiser.com/ -- Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com -- Everyone is entitled to my opinion. -- James Carpenter - -- “When nothing seems to help, I go look at a stonecutter hammering away at his rock perhaps a hundred times without as much as a crack showing in it. Yet at the hundred and first blow it will split in two, and I know it was not that blow that did it, but all that had gone before.” — Jacob Riis -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi -- Abraham Williams | Community Advocate | http://abrah.am Project | Out Loud | http://outloud.labs.poseurtech.com This email is: [ ] shareable [x] ask first [ ] private. Sent from Seattle, WA, United States -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
Re: [twitter-dev] oauth request token failing
Why are you doing this?
StringBuilder params = new StringBuilder();
params.append(encode(oauth_consumer_key));
params.append(=\);
params.append(encode(CONSUMER_KEY));
params.append(\, );
params.append(encode(oauth_signature_method));
params.append(=\);
params.append(encode(HMAC-SHA1));
params.append(\, );
params.append(encode(oauth_signature));
params.append(=\);
params.append(encode(sig));
params.append(\, );
params.append(encode(oauth_timestamp));
params.append(=\);
params.append(encode(Long.toString(timestamp)));
params.append(\, );
params.append(encode(oauth_nonce));
params.append(=\);
params.append(encode(Long.toString(timestamp +
tmp.nextInt(1000;
params.append(\, );
params.append(encode(oauth_version));
params.append(=\);
params.append(encode(1.0));
params.append(\);
Are you putting quotation marks around the values?
Ryan
On Wed, Feb 17, 2010 at 2:37 PM, Berto mstbe...@gmail.com wrote:
Hey guys,
I'm writing a client in java and trying to use oauth to get an access
token. However, I keep getting an IOException which essentially means
I'm getting an HTTP 401 error back (unauthorized). I've verified that
my signature algorithm is correct by using some provided examples over
at oauth.net, but nothing seems to be working for me. Does the
consumer key need an after it? I'm using the exact values provided
via the register oauth client page. Here's a snippet of the code:
HttpURLConnection connection = null;
BufferedReader reader = null;
StringBuilder responseBuilder;
Date date = new Date();
long time = date.getTime();
long timestamp = time / 1000;
Random tmp = new Random();
try {
StringBuilder stuff = new StringBuilder();
stuff.append(encode(oauth_consumer_key));
stuff.append(=);
stuff.append(encode(CONSUMER_KEY));
stuff.append();
stuff.append(encode(oauth_nonce));
stuff.append(=);
stuff.append(encode(Long.toString(timestamp +
tmp.nextInt(1000;
stuff.append();
stuff.append(encode(oauth_signature_method));
stuff.append(=);
stuff.append(encode(HMAC-SHA1));
stuff.append();
stuff.append(encode(oauth_timestamp));
stuff.append(=);
stuff.append(encode(Long.toString(timestamp)));
stuff.append();
stuff.append(encode(oauth_version));
stuff.append(=);
stuff.append(encode(1.0));
StringBuffer base = new
StringBuffer(GET).append()
.append(encode(http://twitter.com/oauth/
request_token)).append();
base.append(encode(stuff.toString()));
String oauthBaseString = base.toString();
String sig = signature(oauthBaseString,
CONSUMER_SECRET);
StringBuilder params = new StringBuilder();
params.append(encode(oauth_consumer_key));
params.append(=\);
params.append(encode(CONSUMER_KEY));
params.append(\, );
params.append(encode(oauth_signature_method));
params.append(=\);
params.append(encode(HMAC-SHA1));
params.append(\, );
params.append(encode(oauth_signature));
params.append(=\);
params.append(encode(sig));
params.append(\, );
params.append(encode(oauth_timestamp));
params.append(=\);
params.append(encode(Long.toString(timestamp)));
params.append(\, );
params.append(encode(oauth_nonce));
params.append(=\);
params.append(encode(Long.toString(timestamp +
tmp.nextInt(1000;
params.append(\, );
params.append(encode(oauth_version));
params.append(=\);
params.append(encode(1.0));
params.append(\);
// Prepare the connection
URL url = new URL(http://twitter.com/oauth/
request_token);
connection = (HttpURLConnection) url.openConnection();
connection.setRequestMethod(GET);
connection.setRequestProperty(WWW-Authenticate,
OAuth + params.toString());
connection.setConnectTimeout(3);
connection.setReadTimeout(3);
// Read the response
Re: [twitter-dev] oauth request token failing
Can you post the URL with querystring parameters when you make the request?
Ryan
On Wed, Feb 17, 2010 at 4:51 PM, Ryan Alford ryanalford...@gmail.comwrote:
Why are you doing this?
StringBuilder params = new StringBuilder();
params.append(encode(oauth_consumer_key));
params.append(=\);
params.append(encode(CONSUMER_KEY));
params.append(\, );
params.append(encode(oauth_signature_method));
params.append(=\);
params.append(encode(HMAC-SHA1));
params.append(\, );
params.append(encode(oauth_signature));
params.append(=\);
params.append(encode(sig));
params.append(\, );
params.append(encode(oauth_timestamp));
params.append(=\);
params.append(encode(Long.toString(timestamp)));
params.append(\, );
params.append(encode(oauth_nonce));
params.append(=\);
params.append(encode(Long.toString(timestamp +
tmp.nextInt(1000;
params.append(\, );
params.append(encode(oauth_version));
params.append(=\);
params.append(encode(1.0));
params.append(\);
Are you putting quotation marks around the values?
Ryan
On Wed, Feb 17, 2010 at 2:37 PM, Berto mstbe...@gmail.com wrote:
Hey guys,
I'm writing a client in java and trying to use oauth to get an access
token. However, I keep getting an IOException which essentially means
I'm getting an HTTP 401 error back (unauthorized). I've verified that
my signature algorithm is correct by using some provided examples over
at oauth.net, but nothing seems to be working for me. Does the
consumer key need an after it? I'm using the exact values provided
via the register oauth client page. Here's a snippet of the code:
HttpURLConnection connection = null;
BufferedReader reader = null;
StringBuilder responseBuilder;
Date date = new Date();
long time = date.getTime();
long timestamp = time / 1000;
Random tmp = new Random();
try {
StringBuilder stuff = new StringBuilder();
stuff.append(encode(oauth_consumer_key));
stuff.append(=);
stuff.append(encode(CONSUMER_KEY));
stuff.append();
stuff.append(encode(oauth_nonce));
stuff.append(=);
stuff.append(encode(Long.toString(timestamp +
tmp.nextInt(1000;
stuff.append();
stuff.append(encode(oauth_signature_method));
stuff.append(=);
stuff.append(encode(HMAC-SHA1));
stuff.append();
stuff.append(encode(oauth_timestamp));
stuff.append(=);
stuff.append(encode(Long.toString(timestamp)));
stuff.append();
stuff.append(encode(oauth_version));
stuff.append(=);
stuff.append(encode(1.0));
StringBuffer base = new
StringBuffer(GET).append()
.append(encode(http://twitter.com/oauth/
request_token)).append();
base.append(encode(stuff.toString()));
String oauthBaseString = base.toString();
String sig = signature(oauthBaseString,
CONSUMER_SECRET);
StringBuilder params = new StringBuilder();
params.append(encode(oauth_consumer_key));
params.append(=\);
params.append(encode(CONSUMER_KEY));
params.append(\, );
params.append(encode(oauth_signature_method));
params.append(=\);
params.append(encode(HMAC-SHA1));
params.append(\, );
params.append(encode(oauth_signature));
params.append(=\);
params.append(encode(sig));
params.append(\, );
params.append(encode(oauth_timestamp));
params.append(=\);
params.append(encode(Long.toString(timestamp)));
params.append(\, );
params.append(encode(oauth_nonce));
params.append(=\);
params.append(encode(Long.toString(timestamp +
tmp.nextInt(1000;
params.append(\, );
params.append(encode(oauth_version));
params.append(=\);
params.append(encode(1.0));
params.append(\);
// Prepare the connection
URL url = new URL(http://twitter.com/oauth/
request_token);
connection = (HttpURLConnection) url.openConnection();
connection.setRequestMethod(GET);
connection.setRequestProperty(WWW
Re: [twitter-dev] Re: oauth request token failing
Your querystring parameters are in the wrong order. You have the oauth_nonce AFTER oauth_timestamp. It needs to be before it. The parameters must be in order. Ryan Sent from my DROID On Feb 17, 2010 6:18 PM, Berto mstbe...@gmail.com wrote: To answer the first email, I was doing that so I could put it in the request header's authorization field to get this effect: (Taken from oauth.net) Authorization: OAuth realm=http://sp.example.com/;, oauth_consumer_key=0685bd9184jfhq22, oauth_token=ad180jjd733klru7, oauth_signature_method=HMAC-SHA1, oauth_signature=wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D, oauth_timestamp=137131200, oauth_nonce=4572616e48616d6d65724c61686176, oauth_version=1.0 Then, I thought it might need to go into the WWW-Authenticate field as opposed to the Authorization field so I tried that too with no success. I've also just tried formatting them as GET parameters and attaching them to the request URL, but that isn't working either. It would look like: http://twitter.com/oauth/request_token?oauth_consumer_key= valueoauth_signature_method=HMAC-SHA1oauth_timestamp=1266440918oauth_nonce=1266440928oauth_version=1.0oauth_signature=l%2BYDrTyWGpvDu3owDlVQLakzVns%3D On Feb 17, 3:52 pm, Ryan Alford ryanalford...@gmail.com wrote: Can you post the URL with querys... On Wed, Feb 17, 2010 at 4:51 PM, Ryan Alford ryanalford...@gmail.com wrote: Why are you doing this? StringBuilder params = new StringBuilder(); ... On Wed, Feb 17, 2010 at 2:37 PM, Berto mstbe...@gmail.com wrote: Hey guys, I'm w...
Re: [twitter-dev] Re: oauth request token failing
You order all parameters EXCEPT the signature, then create the signature, then append the signature to the end. All other parameters should be in order. Ryan On Wed, Feb 17, 2010 at 6:42 PM, Berto mstbe...@gmail.com wrote: I thought that was only for the signature which is in the right order? Ryan Alford wrote: Your querystring parameters are in the wrong order. You have the oauth_nonce AFTER oauth_timestamp. It needs to be before it. The parameters must be in order. Ryan Sent from my DROID On Feb 17, 2010 6:18 PM, Berto mstbe...@gmail.com wrote: To answer the first email, I was doing that so I could put it in the request header's authorization field to get this effect: (Taken from oauth.net) Authorization: OAuth realm=http://sp.example.com/;, oauth_consumer_key=0685bd9184jfhq22, oauth_token=ad180jjd733klru7, oauth_signature_method=HMAC-SHA1, oauth_signature=wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D, oauth_timestamp=137131200, oauth_nonce=4572616e48616d6d65724c61686176, oauth_version=1.0 Then, I thought it might need to go into the WWW-Authenticate field as opposed to the Authorization field so I tried that too with no success. I've also just tried formatting them as GET parameters and attaching them to the request URL, but that isn't working either. It would look like: http://twitter.com/oauth/request_token?oauth_consumer_key= valueoauth_signature_method=HMAC-SHA1oauth_timestamp=1266440918oauth_nonce=1266440928oauth_version=1.0oauth_signature=l%2BYDrTyWGpvDu3owDlVQLakzVns%3D On Feb 17, 3:52 pm, Ryan Alford ryanalford...@gmail.com wrote: Can you post the URL with querys... On Wed, Feb 17, 2010 at 4:51 PM, Ryan Alford ryanalford...@gmail.com wrote: Why are you doing this? StringBuilder params = new StringBuilder(); ... On Wed, Feb 17, 2010 at 2:37 PM, Berto mstbe...@gmail.com wrote: Hey guys, I'm w...
Re: [twitter-dev] Re: Application Suspended
Is it even worst that Raffi has seen this thread and posted in it, and still not a peep? You would think that he would look into it and help out, or contact somebody that could look into it. It's seems like they just have their head in the sand. Ryan On Tue, Feb 16, 2010 at 9:13 AM, Jim Fulford j...@fulford.me wrote: 5 Days not and applicatin is still down and no response at all from Twitter on my Support Ticket. Beware of Oauth, Twitter can disable your site in a second with no notice. I have still not gotten any feedback, communication of any kind. The only nice thing about this process is that my users have been patient and understanding. Wish I could say the same about Twitter. See Below -- easyduzzit sent a message using the contact form at http://www.gotwitr.com/contact. When I look in my Twitter connections your service appears as follows: GoTwitr by Phazer Systems Suspended. I'd appreciate knowing if there is anything your customers can do to let Twitter know we appreciate your service.
Re: [twitter-dev] Re: Application Suspended
Sorry I am a little late to the thread and there are a lot of topics here so I'll do my best to cover them. 1. Email notices - we send out an email for warnings and for suspensions every time to the email on record for the account that is being suspended. If the email isn't up to date or isn't valid then you won't receive it, but otherwise an email goes out every time. So it would be good to make sure the email on record for each account is a valid one. 2. Dispute a warning or suspension - we've always said that emailing a...@twitter.com is the right path for disputing a warning or suspension. If you feel that you have emailed us at that address and haven't gotten a response, let me know, but the whole reason we use ticketing on that email endpoint is to make sure we follow up with each thread. 3. Publication of policies - we are working to make them clearer and easier to find. However, we disagree that posting explicit boundaries is a good idea. The policies are in place to help enforce the spirit of Twitter which cannot be broken down into explicit numbers. If you are having problems with living on the edges of the unpublished numbers, then you are likely doing something that is not within the spirit of the platform. 4. Hostile language - we have said over and over that we are open to constructive criticism. It forces us to be better and we strive to be better, however, we won't put up with hostile and inflammatory language on the list. We're all professionals here and we expect a certain level of professionalism from everyone on the list. Let me know if you have any questions. Best, Ryan On Tue, Feb 16, 2010 at 8:59 AM, Dewald Pretorius dpr...@gmail.com wrote: Nom nom nom, say the spammers. Add to that method a few proxies and/or IP addresses, or something as simple as giving your users a PHP proxy pass-thru script that they can upload to their servers, and there is no way that Twitter can even identify the offending app, let alone suspend/ban/blackhole it. On Feb 16, 12:28 pm, PJB pjbmancun...@gmail.com wrote: Presumably to do the OAuth vanity plate, you have to do what you described in your disgruntled developer post above. I.e., the user registers their own OAuth app and enters the corresponding values in your app, allowing you to masquerade as their app in tweets. Frankly, it seems to run counter to the purposes of OAuth. But the developer of one vanity plate app I found publishes email correspondence with Brian from Twitter, and says they have been personally vetted by Twitter, so I guess it is okay...
Re: [twitter-dev] Cannot view my OAuth client's details - over capacity messages
Mike, It's a known issue right now (sorry) but I don't know when a fix is going out for it. Best, Ryan On Tue, Feb 16, 2010 at 8:03 AM, Mike Champion mike.champ...@gmail.comwrote: Over the past several weeks, I have never been able to view the details of 1 of my OAuth clients, when I go to: http://twitter.com/oauth_clients/details/XX I can view the details of my other apps, but this one has *consistently* given Over Capacity messages. I went to twitter.com/ help and didn't see any other issues filed, and even though I was logged in to ZenDesk, didn't see a way to open a support request. I'm posting here because I'm stumped at how to fix this, and it is for our company's main app so I'd really like to be get this resolved. Has anyone seen this? Any clues on what I can do? Thanks, -mike
Re: [twitter-dev] Re: Application Suspended
Jim, It's part of the functionality of the tool, so it's not something that is prone to a human forgetting. Is the jim_fulford account the one that your OAuth tokens are associated with? Either way, a...@twitter.com is your best channel for follow up. Thanks, Ryan On Tue, Feb 16, 2010 at 2:06 PM, Jim Fulford j...@fulford.me wrote: Ryan, can you check and see if #1 below is really happening. My twitter account is jim_fulford. It has my main email on it, and has never been changed. I did not get a warning or a suspension notice of any kind. Thanks Jim Fulford On Feb 16, 1:46 pm, Ryan Sarver rsar...@twitter.com wrote: Sorry I am a little late to the thread and there are a lot of topics here so I'll do my best to cover them. 1. Email notices - we send out an email for warnings and for suspensions every time to the email on record for the account that is being suspended. If the email isn't up to date or isn't valid then you won't receive it, but otherwise an email goes out every time. So it would be good to make sure the email on record for each account is a valid one. 2. Dispute a warning or suspension - we've always said that emailing a...@twitter.com is the right path for disputing a warning or suspension. If you feel that you have emailed us at that address and haven't gotten a response, let me know, but the whole reason we use ticketing on that email endpoint is to make sure we follow up with each thread. 3. Publication of policies - we are working to make them clearer and easier to find. However, we disagree that posting explicit boundaries is a good idea. The policies are in place to help enforce the spirit of Twitter which cannot be broken down into explicit numbers. If you are having problems with living on the edges of the unpublished numbers, then you are likely doing something that is not within the spirit of the platform. 4. Hostile language - we have said over and over that we are open to constructive criticism. It forces us to be better and we strive to be better, however, we won't put up with hostile and inflammatory language on the list. We're all professionals here and we expect a certain level of professionalism from everyone on the list. Let me know if you have any questions. Best, Ryan On Tue, Feb 16, 2010 at 8:59 AM, Dewald Pretorius dpr...@gmail.com wrote: Nom nom nom, say the spammers. Add to that method a few proxies and/or IP addresses, or something as simple as giving your users a PHP proxy pass-thru script that they can upload to their servers, and there is no way that Twitter can even identify the offending app, let alone suspend/ban/blackhole it. On Feb 16, 12:28 pm, PJB pjbmancun...@gmail.com wrote: Presumably to do the OAuth vanity plate, you have to do what you described in your disgruntled developer post above. I.e., the user registers their own OAuth app and enters the corresponding values in your app, allowing you to masquerade as their app in tweets. Frankly, it seems to run counter to the purposes of OAuth. But the developer of one vanity plate app I found publishes email correspondence with Brian from Twitter, and says they have been personally vetted by Twitter, so I guess it is okay...- Hide quoted text - - Show quoted text -
Re: [twitter-dev] Re: What's up with OAuth?
If I am not mistaken, the oauth_verifier is for the PIN. So if you are not a desktop app, then its not required. Ryan Sent from my DROID On Feb 14, 2010 1:04 AM, jon jonhoff...@gmail.com wrote: It worked for a one time oauth conversion for about 3000 accounts (i ran a batch job across five processes and think it took an hour or so to finish)-- however, that was back in may. the script was also written pre oauth 1.0a, so there's no oauth_verifier. I'm not sure if that's required now. On Feb 13, 11:41 am, Dewald Pretorius dpr...@gmail.com wrote: Mmmm it looks as if you're sc...
Re: [twitter-dev] Re: Looking for someone to help wiith oauth
You can ask technical questions here. You had developers that gave up because of cookie handling? Uhhh... Ryan Sent from my DROID On Feb 13, 2010 10:44 AM, Merrows sa...@merrows.co.uk wrote: Thanks for all the interesting comments. Actually I have found it hard to locate the expertise. I have some code samples already, but I really need someone or at least a technical forum (similar to the kind of thing for Google Products which allows QA type of messages) for twitter. Is there anything like that for twitter or is this it? I have already hired a few developers for this task, and they implement Basic Auth, or they just give up as finding the code too hard (mainly handling the callbacks and cookie handling seems the hard part). If anyone is interested the actual application it is a new site called www.fullbe.com I am buillding which will allow users to comment on products via their twitter names. On Feb 11, 6:02 pm, alexro arodyg...@gmail.com wrote: Also check out LinqToTwitter, it includes... http://twittervb.codeplex.com- Hide quoted text - - Show quoted text -
Re: [twitter-dev] Re: question regarding API FAQ: reclaim inactive username
Aral, I'm not sure where you get the idea that we don't care about developers and that humans aren't involved in the process. Raffi and the rest of the platform team actively respond to emails from developers at all hours of the day on both weekdays and weekends. As for the issue of handing over @usernames we need to have a rational and scalable approach to doing so. We can't just hand it out to one person because we like them more than another user. So if there is a dispute over a username we need to follow a standard procedure. We obviously love our developers and work really hard to support them in all the ways that we can, but there needs to be some process that works across the board. If you have a constructive suggestion on how that can be done other than just badgering the people trying to help you, then by all means work with us on it and we are totally open to coming up with a better solution. But to date, this is the best solution we have that scales to the number and complexity of the requests that we receive. I've always stated that we are open to criticism and feedback on how we can improve, but we ask that it be done constructively. Ryan On Thu, Feb 11, 2010 at 7:45 AM, Aral Balkan aralbal...@gmail.com wrote: Ah, so Twitter wants to see a *registered* trademark number? (As an aside: why do you hate your developers, Twitter?) :) The thing is, a trademark does not _have to be_ registered to be a trademark. Products get trademark protection automatically. I guess if I don't hear back, I'll have the IP law firm I use to write a letter first. Cheaper than getting a registered trademark. Of course, the best thing would be for a _human being_ at Twitter to say: hey developer dude, we love you, sure we can do that... don't mention it! :) (I just don't get this impersonal computer says NO attitude towards developers. Is this just the corporate culture at Twitter or are you guys severely short-staffed? Thinking Twitter really needs to invest in developer relations. Maybe get someone whose job it is to handle developer relations and champion the needs of developers within Twitter?) Aral On Thu, Feb 11, 2010 at 3:28 PM, anilchawla ani...@gmail.com wrote: Raffi, thank you for the response, but it is disappointing. I have to agree completely with Aral that these requests are not for personal use. Some of us have hundreds/thousands of users around the world who use our apps as a means to participate on Twitter, and it is ultimately those users who are affected. In my my case, I have had several users mistakingly mention or try to follow this inactive spam account (http://twitter.com/tweetymail) thinking that it was associated with my service. In the meantime, I am doing the best I can to communicate with these users using another account. FYI, I did not have any success opening support tickets for brandsquatting/impersonation. Originally, I was told to wait until 1/31/10 for the username to remain inactive. When I complied and opened a new request on 2/1, I was immediately denied. It seems that brand-squatting/impersonation/brand-confusion are all irrelevant... Twitter wants to see a trademark number. I am a hobby developer who provides a free service completely out-of-pocket, and now I need to spend hundreds of dollars to register a trademark just to get access to a username that nobody ever used? I see that you have also replaced the text of the FAQ entry with the more generic policy regarding trademark infringement. This is too bad, but I guess it answers my original question -- the existing entry was no longer valid. I certainly understand that Twitter can't always transfer usernames to app developers who want them, but there are certainly cases in which a username (inactive/never tweeted/created for spam) could be put to better use. A blanket policy on trademark infringement may make sense for companies and large brands, but it does nothing at all to help the small-time hobby developers who contribute so much to the Twitter ecosystem. On Feb 10, 7:34 pm, Raffi Krikorian ra...@twitter.com wrote: hi all, please refer to http://apiwiki.twitter.com/FAQ#HowcanIreclaimaninactiveTwitteraccount. .. We are unable to transfer usernames for personal use at this time. If you believe a Twitter account may be squatting on your trademark and violating Twitter's Terms of Service, please file a ticket athttp:// help.twitter.com/requests/newregarding 'Trademark/Brand squatting'. On Wed, Feb 10, 2010 at 4:05 PM, Kyle Mulka repalvigla...@yahoo.com wrote: I also have this problem and have gotten no response whatsoever from Twitter. Here's the inactive account that I'd like to have: http://twitter.com/twilk -- Kyle Mulka Founder, Congo Labs http://twilk.com On Feb 10, 6:41 pm, Anil Chawla ani...@gmail.com wrote: Thanks, glad to know I'm not alone on this. I've looked at filing a trademark
Re: [twitter-dev] Re: question regarding API FAQ: reclaim inactive username
Aral, Thanks for the thorough follow up. First of all we definitely care and we try to show that as opposed to just saying it. The @username issue is a really sticky one for us for a number of reasons. With that being said, I'm going to meet with our team internally to review the process and see if we can come up with better answers to your questions and see if we can improve the process at all. We want to support our developers the best way we can so we're totally open to fixing the process if it's broken. Best, Ryan On Thu, Feb 11, 2010 at 1:38 PM, Aral Balkan aralbal...@gmail.com wrote: Hi Ryan, My greatest issue with all this is that you appear to have a form response. Currently, you're just not handling account transfers at all. And that's the same policy for general users (of which you have gazillions) and developers (of which you have an order of magnitude or two less). The account I am asking about has not tweeted since 2007. It is not a request asking you to favor one person over another. It is a request to favor a new Twitter application over an account that hasn't been used in three years. If a human being looked at it, the decision would be clear and would probably take 1/10th the time to execute than all these emails have taken. My suggestion: expire accounts that haven't been used in over 12 months and don't have to deal with it. If that's too harsh, at least handle *trademark* requests. My app's name _is_ a trademark even if it isn't a _registered_ trademark. Forcing me to register my trademark (can I register it in the UK, where I live, or do I have to get a US registered trademark?) just adds more financial responsibility on my shoulders. I put in a trademark request as per the link Raffi gave but I haven't heard anything back – not even an automated response saying you guys received the email. On the whole, I just feel unloved because I've put a lot of time and effort into an app that I feel will make Twitter a bit more fun and I don't feel that the request to have the Twitter account with my app's name – one that hasn't been used in three years – is an unrealistic request to make. Let's say my app is called Dodo. I'm just sad that I am going to launch with the Twitter account @dodo or even @dodoapp – because both are taken and unused - but that I'm going to launch with @dodo_app. That you guys don't see this is a problem makes me think that you don't care. All the best, Aral On Thu, Feb 11, 2010 at 8:24 PM, Ryan Sarver rsar...@twitter.com wrote: Aral, I'm not sure where you get the idea that we don't care about developers and that humans aren't involved in the process. Raffi and the rest of the platform team actively respond to emails from developers at all hours of the day on both weekdays and weekends. As for the issue of handing over @usernames we need to have a rational and scalable approach to doing so. We can't just hand it out to one person because we like them more than another user. So if there is a dispute over a username we need to follow a standard procedure. We obviously love our developers and work really hard to support them in all the ways that we can, but there needs to be some process that works across the board. If you have a constructive suggestion on how that can be done other than just badgering the people trying to help you, then by all means work with us on it and we are totally open to coming up with a better solution. But to date, this is the best solution we have that scales to the number and complexity of the requests that we receive. I've always stated that we are open to criticism and feedback on how we can improve, but we ask that it be done constructively. Ryan On Thu, Feb 11, 2010 at 7:45 AM, Aral Balkan aralbal...@gmail.comwrote: Ah, so Twitter wants to see a *registered* trademark number? (As an aside: why do you hate your developers, Twitter?) :) The thing is, a trademark does not _have to be_ registered to be a trademark. Products get trademark protection automatically. I guess if I don't hear back, I'll have the IP law firm I use to write a letter first. Cheaper than getting a registered trademark. Of course, the best thing would be for a _human being_ at Twitter to say: hey developer dude, we love you, sure we can do that... don't mention it! :) (I just don't get this impersonal computer says NO attitude towards developers. Is this just the corporate culture at Twitter or are you guys severely short-staffed? Thinking Twitter really needs to invest in developer relations. Maybe get someone whose job it is to handle developer relations and champion the needs of developers within Twitter?) Aral On Thu, Feb 11, 2010 at 3:28 PM, anilchawla ani...@gmail.com wrote: Raffi, thank you for the response, but it is disappointing. I have to agree completely with Aral that these requests are not for personal use. Some of us have hundreds/thousands of users
Re: [twitter-dev] Re: A proposal for delegation in OAuth identity verification
Thanks for sending this out. I did want to send a note about having developers share consumer keys and secrets with other applications. While we don't have an explicit policy yet to block this we STRONGLY advise not to hand out your tokens to other providers for a number of reasons. Most important of all is that if your tokens get compromised and abuse is associated with those tokens, we have to revoke access for the consumer. Obviously tokens can get compromised in a number of ways, but the more services you share them with the more likely they are to get compromised which could lead to revocation of your application. Raffi has proposed a way to do delegated identity using OAuth and we are open to finding other models, but we strongly advise not promoting applications to provide you with their tokens as there are always other ways of solving that same problem. Thanks, Ryan On Thu, Feb 11, 2010 at 12:37 PM, Sean Callahan seancalla...@gmail.comwrote: That is similar to what we are doing at TweetPhoto and it is working out fine. Feel free to check out what we are doing: http://groups.google.com/group/tweetphoto/web/oauth-signin Third-party apps share with us their app's consumer key and secret. We receive the same level of access to the third-party app using our photo sharing service. When two companies work together and are partners there needs to be a level of trust. Furthermore, developers can change their consumer secret at any time so their is no real issue with this method. There are a few integrations coming out soon with this method in place. Please let us know your thoughts and if you have any questions. Sean On Feb 11, 10:05 am, Brian Smith br...@briansmith.org wrote: Raffi Krikorian wrote: The term most frequently used for “delegator” is “relying party.” What you call the service provider is most frequently called the “identity provider.” What you call the consumer is usually called the “subject.” See OpenID, InfoCard, and other similar specifications for example usage of these terms. First, what I wrote about subject was misleading: the user--not the consumer--is the subject. i hear all this - it just gets a bit complicated with because we are conflating this with our oauth situation. This doesn't really have much to do with OAuth, because you are not trying to allow delegation of credentials--that is, you are not trying to allow the consumer app to let the relying party use the consumer app's OAuth access token to read/write the user's account. perhaps its time to move to an oauth + openID hybrid system. I don't know if OpenID really solves this problem well, especially for apps that aren't webapps. The subject doesn’t want the relying party to have access to the entire response from the account/verify_credentials request as if he had given the relying party read access to his account. I am not sure if account/verify_credentials returns sensitive information (information only available to apps that have been authorized by the user) yet, but I think it is likely in the future that it will do so. It would be prudent to have delegation use a different resource designed specifically for delegation. i think this is again a general case vs a twitter case. i think in the general case, the delegator would call some endpoint that would simply verify the identity through a HTTP code (2xx for success, 4xx for failure). twitter, as a special case, sends along the user object [as] part of it? account/verify_credentials discloses information that is private. For example, the HTTP header of account_verify_credentials discloses information about how frequently the user accesses twitter (the rate limit headers). If the user hasn't previously authorized (via OAuth) the delegator (relying party) to have read access to his account, then the delegator (relying party) shouldn't be able to get this information. Also, I think you should plan ahead for the case where account/verify_credentials returns even more sensitive information. If you were going to reuse an existing resource, I'd reuse users/show.format?user_id=username instead. But, AFAICT, it's much better to create a new resource for this purpose, and pretty easy to do so. I think the following would be a better protocol: Consumer to Relying Party: Give me RP-SIGNED-TOKEN, a nonce signed with your OAuth credentials for the relying party'sidentity verification service. Relying Party to Consumer: Here is the token RP-SIGNED-TOKEN. (This is done using whatever protocol the consumer and the relying party agree to use.) Consumer to Identity Provider: Here's RP-SIGNED-TOKEN. Give me IP-SIGNED-TOKEN, which is (RP-SIGNED-TOKEN, screen_name) signed with a signature that the relying party can verify is from the identity provider. Identity
Re: [twitter-dev] Re: What's up with OAuth?
He specifically states the possibility for mobile apps to use xAuth. Ryan Sent from my DROID On Feb 11, 2010 11:27 PM, kehers keh...@gmail.com wrote: Talking xAuth, hope mobile apps count as 'applications except web applications'
Re: [twitter-dev] Looking for someone to help wiith oauth
I have implemented OAuth into my own WPFapplication.(written in C#) You can view my library at CodePlex. http://twiteclipseapi.codeplex.com/ Ryan On Wed, Feb 10, 2010 at 9:48 AM, Merrows sa...@merrows.co.uk wrote: I am seeking someone skilled in .NET 3.5, C# to help with implementing twitter oauth, and I would welcome any suggestions of how to find someone.
Re: [twitter-dev] Re: oAuth and more users?
The user doesn't actually create their OAuth tokens manually. The tokens are created automatically by Twitter and given to you through responses after the user has given your application permission to their account. Ryan On Wed, Feb 10, 2010 at 8:27 AM, _Bensn benjaminroh...@t-online.de wrote: And where get the users there own keys to use the application with there own twitter account? (e.g tweet deck) On 9 Feb., 18:29, John Meyer john.l.me...@gmail.com wrote: On 2/9/2010 10:03 AM, ryan alford wrote: So you are saying that the user of a third party application must register a completely new consumer key and consumer secret? Again, you have your terminology wrong. They get a completely new set of oAuth tokens. Same as the fact that every user of twitter has to register his or her own Twitter username/password So when TweetDeck goes to OAuth, every user will create their own consumer key and consumer secret, therefore, having 10s of thousands of TweetDeck applications registered? No. One TweetDeck application is registered. Those users have just authorized TweetDeck to access their application.
Re: [twitter-dev] Re: oAuth and more users?
Your users should not be required to get their own consumer key and consumer secret. Ryan Sent from my DROID On Feb 9, 2010 10:04 AM, _Bensn benjaminroh...@t-online.de wrote: Where can they create there own keys? here - https://twitter.com/apps/new ? On 8 Feb., 18:55, John Meyer john.l.me...@gmail.com wrote: On 2/8/2010 7:25 AM, _Bensn wrote: Hi there, is it possible to develope a twitter appl...
Re: [twitter-dev] Re: oAuth and more users?
Yes it does seem backwards. I made my statement because the link he gave was for application consumer keys, not the OAuth tokens. Ryan Sent from my DROID On Feb 9, 2010 11:27 AM, John Meyer john.l.me...@gmail.com wrote: On 2/9/2010 9:20 AM, ryan alford wrote: Your users should not be required to get their own consumer key and consumer secret. Ryan ... On Feb 9, 2010 10:04 AM, _Bensn benjaminroh...@t-online.de mailto:benjaminroh...@t-online.de wrote: Where can they create there own keys? here - ht... They create their own (oAuth) keys for that app by authorizing it through twitter. And while we're on this point, whose idea was it to name the keys that the applications have _Consumer_ keys while the consumers have oAuth Tokens? Seems totally counter-intuitive to me.
Re: [twitter-dev] Re: oAuth and more users?
So you are saying that the user of a third party application must register a completely new consumer key and consumer secret? So when TweetDeck goes to OAuth, every user will create their own consumer key and consumer secret, therefore, having 10s of thousands of TweetDeck applications registered? I am talking about the user going to the site where you have to give it a name, tell twitter whether its a desktop or web application, and fill in the other information? Is that what every user is going to have to do? Sent from my DROID On Feb 9, 2010 11:53 AM, John Meyer john.l.me...@gmail.com wrote: On 2/9/2010 8:09 AM, _Bensn wrote: @ John Meyer - thanks for editing my post with the url. Is ... Yeah. It might be construed as more effort than a basic authentication, but I don't believe it is that onerous. The big issue is the web interface and how it breaks the look of the application.
Re: [twitter-dev] OAuth Additions
Dewald, 1) good idea 2) also a good idea 3) tons :) On Tue, Feb 9, 2010 at 5:28 AM, Dewald Pretorius dpr...@gmail.com wrote: Two additions to OAuth that will be very helpful: 1) When a user removes the application from their connections, Twitter should make a callback to my system so that I can delete the account from my DB. 2) There should be a call my system can make to remove the app from the user's connections, typically in the case where the user deletes his account from my system. As an aside, how many times have you misspelled oauth as ouath in your code?
Re: [twitter-dev] Re: Seesmic Look and the Source parameter
Raffi, has walking pneumonia so we're giving him a few days slack time and we're afraid of what he would write while on meds :) On Tue, Feb 9, 2010 at 8:48 AM, Raffi Krikorian ra...@twitter.com wrote: in progress :P On Tue, Feb 9, 2010 at 12:18 AM, mynetx myne...@googlemail.com wrote: And where’s the announced post by Raffi? http://groups.google.com/group/twitter-development-talk/msg/56cd59f6d5a57db9 On Feb 8, 6:39 pm, Dewald Pretorius dpr...@gmail.com wrote: The info you're looking for is in this thread: http://groups.google.com/group/twitter-development-talk/browse_thread. .. On Feb 8, 2:45 am, mynetx myne...@googlemail.com wrote: How can Seesmic Look display its Source in the tweet metadata, when it asks for my user name and password? It would be interesting to know how Seesmic Look gets the Twitter API to return an OAuth Access Token and its secret from a user name / password API request input. Look is connecting to Twitter via the Dimebrain TweetSharp Library for C#, but as Seesmic's class is using obfuscated .NET IL code, I have not yet found out. Any insight appreciated. -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
Re: [twitter-dev] Re: Mobile OAuth fix is LIVE
Ill talk with the team and figure out if it's better to roll it back or just limit it to the known, working user agents On Fri, Feb 5, 2010 at 3:42 PM, CharlesW cwilt...@gmail.com wrote: That's an amazingly great recommendation, Michael. -- Charles On Feb 5, 9:22 am, Michael Steuer mste...@gmail.com wrote: In fact, I'd recommend that you only show the new version for devices you have actually tested against... Mobile browser support is a crap shoot and you really can't assume that something that works on one device, works on another... You need to test each and every one of them (or at least each family of devices, e.g. Series 60 4th Gen, Series 60 5th Gen, iPhone OS, Motorola V3 series, etc.) I've been in mobile development for 15 years... Let me know if you need some pointers off list... Happy to assist. On 2/5/10 8:40 AM, CharlesW cwilt...@gmail.com wrote: Ryan, Thanks for both the attempted fix and the announcement. Unfortunately, where the previous version was kind of a crapshoot for mobile users because the buttons appeared black (see my screenshot in the bug report athttp:// code.google.com/p/twitter-api/issues/detail?id=395), this new version doesn't work at all on many mobile browsers. Because this breaks mobile Twitter support completely for many (most? all?) phones using older browsers, can you please revert to the previous version, and then stage a new version somewhere else that we can help you test? -- Charles On Feb 3, 3:16 pm, Ryan Sarver rsar...@twitter.com wrote: FINALLY! An update has just gone live that fixes rendering of the OAuth screens for most mobile devices. We also fixed a few small nagging things like the default action is now allow instead of deny if you just hit go on an iPhone. I've attached two screenshots so you can see the updated screens. Please test it out with your various mobile web apps and let us know if you run into any problems or edge cases. Ryan IMG_0739.png 93KViewDownload IMG_0738.png 75KViewDownload
Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works
Does it fail everytime? I will test mine when I get to work in about an hour. Ryan Sent from my DROID On Feb 4, 2010 12:23 AM, Duane Roelands duane.roela...@gmail.com wrote: And please forgive my obnoxious tone; I'm tired and frustrated. :) On Feb 4, 12:05 am, Duane Roelands duane.roela...@gmail.com wrote: Ryan: If posting Hello ...
Re: [twitter-dev] .NET and oAuth update problems
I just did a test with this status... Testing my Twitter OAuth library with some special characters !?:*^%...@!~`=+-_ and it went through without any errors and posted the correct status. Ryan On Wed, Feb 3, 2010 at 8:02 PM, ryan alford ryanalford...@gmail.com wrote: I don't know which version(if there are multiple versions). I downloaded it in October I believe. Ryan Sent from my DROID On Feb 3, 2010 7:59 PM, Andrew Badera and...@badera.us wrote: From Shannon's original stuff, or something more recent? I'd worked with OAuthBase.cs in the past, but seemed to recall there were explicit exceptions in that ver of that stuff ... maybe a year ago now? --ab On Wed, Feb 3, 2010 at 7:57 PM, ryan alford ryanalford...@gmail.com wrote: I don't want to tak...
Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works
I just posted this status using my library with OAuth and it worked fine.. Testing my Twitter OAuth library with some special characters !?:*^%...@!~`=+-_ Ryan On Thu, Feb 4, 2010 at 6:19 AM, Bhavani Sankar Sikakolli b.san...@gmail.com wrote: Yes, it fails everytime. I have checked to see that I am configuring everything the right way. On Thu, Feb 4, 2010 at 4:43 PM, ryan alford ryanalford...@gmail.comwrote: Does it fail everytime? I will test mine when I get to work in about an hour. Ryan Sent from my DROID On Feb 4, 2010 12:23 AM, Duane Roelands duane.roela...@gmail.com wrote: And please forgive my obnoxious tone; I'm tired and frustrated. :) On Feb 4, 12:05 am, Duane Roelands duane.roela...@gmail.com wrote: Ryan: If posting Hello ...
Re: [twitter-dev] Re: Mobile OAuth fix is LIVE
We've had to roll back the mobile OAuth update as it was consuming an abnormally large amount of resources. We'll dig in and figure out what was going on. Almost there, rs On Thu, Feb 4, 2010 at 12:24 PM, Carlos carlosju...@gmail.com wrote: Buttons not clickable on Windows Mobile; tried on both a 6.1 6.5 device. On Feb 3, 6:16 pm, Ryan Sarver rsar...@twitter.com wrote: FINALLY! An update has just gone live that fixes rendering of the OAuth screens for most mobile devices. We also fixed a few small nagging things like the default action is now allow instead of deny if you just hit go on an iPhone. I've attached two screenshots so you can see the updated screens. Please test it out with your various mobile web apps and let us know if you run into any problems or edge cases. Ryan IMG_0739.png 93KViewDownload IMG_0738.png 75KViewDownload
Re: [twitter-dev] Re: Mobile OAuth fix is LIVE
Following up on my earlier email. I jumped the gun and the rollback never actually happened :) However, we are getting some reports of the buttons not functioning in a number of browsers and are working on a fix. Best, Ryan On Thu, Feb 4, 2010 at 3:27 PM, Ryan Sarver rsar...@twitter.com wrote: We've had to roll back the mobile OAuth update as it was consuming an abnormally large amount of resources. We'll dig in and figure out what was going on. Almost there, rs On Thu, Feb 4, 2010 at 12:24 PM, Carlos carlosju...@gmail.com wrote: Buttons not clickable on Windows Mobile; tried on both a 6.1 6.5 device. On Feb 3, 6:16 pm, Ryan Sarver rsar...@twitter.com wrote: FINALLY! An update has just gone live that fixes rendering of the OAuth screens for most mobile devices. We also fixed a few small nagging things like the default action is now allow instead of deny if you just hit go on an iPhone. I've attached two screenshots so you can see the updated screens. Please test it out with your various mobile web apps and let us know if you run into any problems or edge cases. Ryan IMG_0739.png 93KViewDownload IMG_0738.png 75KViewDownload
Re: [twitter-dev] .NET and oAuth update problems
I have it working and have had it working for months. My code is open-source and written in C#. http://twiteclipseapi.codeplex.com/ I haven't tried every special character, though I haven't run across a character that didn't work. Ryan Sent from my DROID On Feb 3, 2010 6:53 PM, Andrew Badera and...@badera.us wrote: Are you following the proper URL encoding? Basic .NET URLEncode doesn't meet OAuth's encoding spec. I forget what it is offhand, but they aren't 100% equivalent. ∞ Andy Badera ∞ +1 518-641-1280 Google Voice ∞ This email is: [ ] bloggable [x] ask first [ ] private ∞ Google me: http://www.google.com/search?q=andrew%20badera On Wed, Feb 3, 2010 at 6:50 PM, John Meyer john.l.me...@gmail.com wrote: has anybody on a .NE...
Re: [twitter-dev] .NET and oAuth update problems
I don't want to take credit for it as it is from Shannon Whitley's OAuth library. Ryan Sent from my DROID On Feb 3, 2010 7:53 PM, Andrew Badera and...@badera.us wrote: Interesting, for some reason I thought there were a few explicit exceptions that had to be made, but your solution looks pretty elegant. --ab On Wed, Feb 3, 2010 at 7:48 PM, ryan alford ryanalford...@gmail.com wrote: I have it working ...
Re: [twitter-dev] .NET and oAuth update problems
I don't know which version(if there are multiple versions). I downloaded it in October I believe. Ryan Sent from my DROID On Feb 3, 2010 7:59 PM, Andrew Badera and...@badera.us wrote: From Shannon's original stuff, or something more recent? I'd worked with OAuthBase.cs in the past, but seemed to recall there were explicit exceptions in that ver of that stuff ... maybe a year ago now? --ab On Wed, Feb 3, 2010 at 7:57 PM, ryan alford ryanalford...@gmail.com wrote: I don't want to tak...
Re: [twitter-dev] Bulk User Look Up - any progress?
Michael, It is definitely on our near-term roadmap, but we've gotten backed up on a few other things. So it is still coming, but I don't have an exact date for you. Social graph relief is neigh :) Best, Ryan On Wed, Feb 3, 2010 at 3:39 PM, Michael Steuer mste...@gmail.com wrote: Hi Raffi et al, Is there any word on when we might see a bulk user lookup API, as promised repeatedly in this group? For those of us using the social graph APIs, it’s incredibly painful to then have to fetch the full user object based on the ID one-by-one. Anyway, would just love to know if this is on the horizon or if we should all continue to dream about this... Thanks, Michael
Re: [twitter-dev] Mobile java client - happy with OAuth as it is
Another problem with this approach is that you are now required to have a server. So now a developer would have the added expense of paying for a server. Now if the developer already had a server, then it's a moot point, but not all developers have their own hosted servers. What happens when your server goes down, or your hosting provider has connectivity problems? Your app is now dead, even though Twitter is still functioning normally. Ryan On Tue, Feb 2, 2010 at 7:08 AM, Anton Krasovsky anton.krasov...@gmail.comwrote: With all that talk about OAuth, I thought I might share my experience using it in for a mobile (j2me) twitter client. I guess my approach is nothing new, and probably is not applicable to iPhone apps because of the appstore distribution process, but anyways. So the way I handle OAuth is as follows: All application downloads are handled by my own server. Before allowing user to download the app I initiate OAuth authorization with Twitter and then, save user tokens along with generated unique id for a user. Once authorized, user is permitted to download the application which is tagged with that unique user id I generated earlier. Once user starts the app, it uses it's id to authenticate itself to my server. All communicatin between Twitter and user's appication is handled/proxied by the server that performs all necessary oauth signing on behalf of the user. So, this way I have all benefits of using OAuth in a mobile app. The only drawback really, is that user must visit my web site at least once to perform authorization. Regards, Anton http://pavo.me
Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works
Remember that the status update is different from most of the other requests, because it adds the status parameter that is not in the other requests. This means that it needs to be part of the query string and also the signature. Leaving this out could cause an issue. Ryan Sent from my DROID On Feb 2, 2010 10:03 PM, ohauske ovonhau...@gmail.com wrote: Hi Ryan, I tried getting the home timeline and a couple of other methods and everything works, everything except the update status here's my request: http://twitter.com/statuses/update.xml?oauth_consumer_key=**oauth_nonce=d985f559241ea3ba0fc9d6ae842e87a3oauth_signature=hgWo0cdbttaQnUEEWkFU1USCjMc%3Doauth_signature_method=HMAC-SHA1oauth_timestamp=1265164536oauth_token=***oauth_version=1.0status=%5C%27hello%5C%27 I'm using this library http://code.google.com/p/oauth/ On Jan 29, 6:10 am, ryan alford ryanalford...@gmail.com wrote: Try getting the home timeline and... On Jan 28, 2010 11:14 PM, arian cabezas arian.cabe...@gmail.com wrote: Hi Ryan. I´m havi...
Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works
Try getting the home timeline and see if you get the incorrect signature
message.
Ryan
Sent from my DROID
On Jan 28, 2010 11:14 PM, arian cabezas arian.cabe...@gmail.com wrote:
Hi Ryan.
I´m having the same problem with the statuses/update using the php
library provided by Twitter, name as : Twitter-async, as said eco_bach
i verified my signatures and i receive information back on verify
credentials (and no 'incorrect signature' error), it´s really rare
what it´s happening couse some times it works and some times apeear
when a do a ¨$connection-post('statuses/update', array('status' =
$statusStr))¨ the misterious message ¨incorrect signatures¨ as
response. I dont know what to do, becouse i´m following all the stuffs
that are described on the Twitter-async API. It began to happen the
last Tuesday 26th.
My regards.
Arian
On 27 ene, 00:30, ryan alford ryanalford...@gmail.com wrote: It is still
a POST, you just don't...
On Jan 26, 2010 4:32 PM, eco_bach bac...@gmail.com wrote: Hi Ryan
Changed to 'GET' and i...
Re: [twitter-dev] Re: Any iPhone Twitter apps with OAuth login ?
Good news. A mobile-friendly version of the OAuth page is due to be deployed next week (finally!:). We look forward to your feedback on the new screens when they are ready. Also, we currently block any custom protocol URLs from being registered as a callback to protect against XSS attacks. However, you can email a...@twitter.com to request a custom callback for iPhone apps and other mobile platforms that support it. Thanks for your endless patience on this pesky issue. Best, Ryan On Thu, Jan 21, 2010 at 2:18 PM, hunterjensen hunterjen...@gmail.com wrote: Yes please! We're submitting an iPhone app in a couple weeks and that page is the least user-friendly thing in our whole app. At this point we're considering going back to basic auth just until it gets a more mobile-friendly UI. Any chance you guys are working on this? Anything we can do to help? On Jan 20, 2:52 am, Jeff Enderwick jeff.enderw...@gmail.com wrote: and can we contrib/help? On Tue, Jan 19, 2010 at 11:07 AM, joepwro joep...@gmail.com wrote: We are also developing an iPhone app that uses Twitter's OAuth. Posting this just to add more momentum to the request that the Twitter OAuth login page should be made mobile friendly. I believe doing so would have a significant usability impact. Raffi, can you provide input is this thread if this is something Twitter is considering doing in the short term? Long term? Thanks, Joe On Jan 17, 3:12 am, jeff.enderw...@gmail.com jeff.enderw...@gmail.com wrote: Hi, we're releasing an app that has a twitter-based sharing component in a couple of weeks. Does Twitter have any interest in making a mobile friendly version of theoauthallow/deny/pin pages? Could one of us on the outside just gin it up and give it to Twitter? On Jan 12, 7:15 am, funkatron funkat...@gmail.com wrote: Just FWIW, this isn't really aniPhone-specific issue – there are a lot of rich mobile devices out there. One reason (excuse?) for not usingOAuthin Spaz on webOS is the poor functionality on mobile. I'm really reluctant to move toOAuthuntil the flow for mobile is improved. The data from heypic.me is just what I was afraid of. -- Ed Finklerhttp://funkatron.com Twitter:@funkatron AIM: funka7ron ICQ: 3922133 XMPP:funkat...@gmail.com xmpp%3afunkat...@gmail.com On Dec 6 2009, 3:08 am, Ram group...@cascadesoft.net wrote: As a followup to the mobileOAuthdiscussions from October (seehttp:// groups.google.com/group/twitter-development-talk/browse_thread...) Does anyone know of any (publicly released)iPhoneor other mobile Twitter apps that useOAuth? I'm partly curious to know/confirm whether our app is the onlyiPhone (or mobile) app that uses TwitterOAuthlogin for posting tweets, but I also want to know what you think of the UI, if you've used TwitterOAuthlogin in any publicly released mobile app. Thanks Ram
Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works
I still don't see your status in the query string of the URL. I see it in string for the signature, but in your actual URL, it's not there. This is my entire URL when posting a status update: http://twitter.com/statuses/update.xml?oauth_consumer_key=**oauth_nonce=57a0d0d1-89e9-4f73-ac3d-f2f26bb2a56doauth_signature_method=HMAC-SHA1oauth_timestamp=1264530600oauth_token=36116361-8YRR4w9rRwz7HOc0nYTMmNWjCDrQdFYtnPwsiP7jmoauth_version=1.0status=really%20ready%20for%20the%20game%20tonightoauth_signature=EGq5udax8bM5yuoZhJC0cIbM8uA%3d notice how my status is a query string parameter also. I don't see that in yours. Ryan On Tue, Jan 26, 2010 at 12:50 PM, eco_bach bac...@gmail.com wrote: Ryan Still 'Incorrect signature' Here's my BASE signature query string BEFORE % encoding (NOTE all SORTED and asterisks for my consumer key!) oauth_consumer_key=oauth_nonce=16EAFA36-2A91-32A5-4A5C-6BB80EF9B45Boauth_signature_method=HMAC- SHA1oauth_timestamp=1264527609oauth_token=9353572- G8h52Icbe0cjWIMl59fepUofRxoHzHznhzEwo9oqIstatus=having some fun getting OAuth and the Twitter api working This is my final request URL, the %253D at the end of my signature looks suspect, doubly encoded? But pretty sure worked with verify credentials request.url==http://www.bitstream.ca/twitter/proxy.php?path=http%3A%2F %2Ftwitter.com%2Fstatuses%2Fupdate.json%3Foauth_consumer_key %3D%26oauth_nonce %3D16EAFA36-2A91-32A5-4A5C-6BB80EF9B45B%26oauth_signature_method %3DHMAC-SHA1%26oauth_timestamp%3D1264527609%26oauth_token%3D9353572- G8h52Icbe0cjWIMl59fepUofRxoHzHznhzEwo9oqI%26oauth_signature %3D5QuhEDae4gZHAxel8JVwLwkQ5J4%253D
Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works
Don't do the POST request data. You do that for Basic Auth, but not for OAuth. Ryan On Tue, Jan 26, 2010 at 1:44 PM, eco_bach bac...@gmail.com wrote: Ryan Since its a POST its part of my request.data. Didn't think I also needed as part of my query string but will try. Do you know if there is an official Twitter Oauth test page like http://developer.netflix.com/resources/OAuthTest or Google's? http://oauth.googlecode.com/svn/code/javascript/example/signature.html Tried both and getting a different signature value, so my next question is If I receive information back on verify credentials (and no 'incorrect signature' error), am I safe to assume my signature generation is corect?
Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works
Yes, you could assume your signature creation is correct for most API calls. However, as you see with the update status API call, it has the extra parameter that is the status. Ryan On Tue, Jan 26, 2010 at 1:46 PM, ryan alford ryanalford...@gmail.comwrote: Don't do the POST request data. You do that for Basic Auth, but not for OAuth. Ryan On Tue, Jan 26, 2010 at 1:44 PM, eco_bach bac...@gmail.com wrote: Ryan Since its a POST its part of my request.data. Didn't think I also needed as part of my query string but will try. Do you know if there is an official Twitter Oauth test page like http://developer.netflix.com/resources/OAuthTest or Google's? http://oauth.googlecode.com/svn/code/javascript/example/signature.html Tried both and getting a different signature value, so my next question is If I receive information back on verify credentials (and no 'incorrect signature' error), am I safe to assume my signature generation is corect?
Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works
The hash algorithm can product both upper and lower case letters.. Ryan On Tue, Jan 26, 2010 at 1:53 PM, eco_bach bac...@gmail.com wrote: Also noticed, minor thing, but your signature ends in '%253d' Mine in uppercase '%253D'
Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works
It is still a POST, you just don't write the post data to the request. That post data is now in the query string where Twitter is expecting it. Ryan Sent from my DROID On Jan 26, 2010 4:32 PM, eco_bach bac...@gmail.com wrote: Hi Ryan Changed to 'GET' and it seems I still get the Incorrect signature. error And the second time I try to update status, I also get 'This method requires a POST.' error.
Re: [twitter-dev] Re: getting more information than 'Could not authenticate...'
Are you putting the status parameter in the query string? If not, you should be, or atleast, that's what I had to do to get it to work. Ryan On Mon, Jan 25, 2010 at 8:22 AM, eco_bach bac...@gmail.com wrote: Hi Michael Good point. Actionscript 3. Chices are Twitterscript and Tweetr. As far as I know, Twitterscript has no example using OAuth. And Tweetr has no example of working with browser based web authentication WITHOUT also requiring the PIN handshake. If you think I am wrong in NOT choosing either of the above, would appreciate your rationale. After some research, decided to use as a base what Sonke Rohde has done http://soenkerohde.com/2010/01/twitter-as3-oauth-lib-with-flex-4-example/ Sonke's example is Flex4 and for an AIR application, so I've modified it quite a bit to work for an Actionscript only web application. Sonke in turn is using code this open source project to create requests, generate signatures http://code.google.com/p/oauth-as3/ The fact that I've gotten OAuth to work up to the point of verify credentials working would seem to indcate that I am at least on the right path. And I've learned a heck of a lot as well;) Perhaps what I'm trying to do isn't possible (ie creating browser based web OAuth authentication WITHOUT also requiring the PIN handshake) but I'm determined to find out if this is the case.
Re: [twitter-dev] Not able to read unicode from Twitter Response XML in C#.net
Can you paste an example of the bad characters as .Net shows them, and what they should really be? Ryan On Mon, Jan 25, 2010 at 5:36 AM, Rejeev rejeevtho...@gmail.com wrote: Hi all, My Twitter response XML contains some unicode characters , I am not able to read that in C#.net. Its showing junk characters. Please help me to read that in proper text. Thanks, Rejeev
Re: [twitter-dev] Re: Can new twitter account be created from API?
If Twitter allowed the API to create new accounts, what's to say that somebody won't create a script to create millions of new accounts? Ryan On Mon, Jan 25, 2010 at 11:22 AM, Cameron Kaiser spec...@floodgap.comwrote: Or is the reason this is not implemented anywhere is because this sort of thing is not allowed by Twitter? Correct. -- personal: http://www.cameronkaiser.com/ -- Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com -- When life gives you lemons, make it into a blog and get comments. -- Locke -
Re: [twitter-dev] 'Incorrect signature' on status update with OAuth when verify credentials works
I am just wondering why you can't keep all of your questions in the same thread? If somebody was having the same issues as you, they would have to look through 10+ of your threads. To try to answer the question, are you including the status parameter as part of the query string, which in turn, will be part of the signature? Ryan On Mon, Jan 25, 2010 at 10:17 PM, eco_bach bac...@gmail.com wrote: Almost there... Already googled this error and changed my request from http to https. Still getting same error... Any suggestions?
[twitter-dev] Chirp: Twitter Developer Conference
Just wanted to give everyone a heads up now that we have officially announced the dates for Chirp and made the first 200 tickets available for purchase at http://chirp.twitter.com. Chirp will be a two day event being held on April 14th and 15th and over 800 tickets will be available in total. You can follow @chirp (http://twitter.com/chirp) for announcements. Chirp is a developer-focused event and we want to make sure the room is filled with all the right people. In fact, you'll notice that you even need to use the API to be able to purchase a ticket :) We as a company are really excited about the event and investing a lot in making this something really special. We hope to have lots of you there to celebrate the accomplishments of the ecosystem and share the roadmap of the platform. The schedule is still in development and we'll be adding more detail to the Chirp site as things come together. You can expect to hear from people at Twitter, top developers, investors and users from across the ecosystem. We are interested to hear what you would like to see content-wise, so please send us any ideas/wants you have and help us shape the conference. Also, in an effort to give cash-strapped developers access to the conference, we have a pool of Scholarship Tickets. These tickets are an opportunity for individuals or companies with the means to anonymously purchase a ticket for a budding developer without the same means to attend. If you are in a position to help another developer, please consider doing so by generously giving back to the ecosystem. If you are a developer that would like to apply for a Scholarship Ticket we'll be following up with details on how to do so soon. We look forward to your thoughts and ideas on what kind of content you think would make the conference a success. If you have feedback or are looking for things like press passes, please email ch...@twitter.com. We look forward to meeting you in person. Best, Ryan
Re: [twitter-dev] Re: sqllite command for writing to local DB
Searching Google for writing data to sqlite java would help you out. Sent from my DROID On Jan 24, 2010 7:41 PM, Kidd jva...@gmail.com wrote: Bump!!? On Jan 17, 3:38 pm, Kidd jva...@gmail.com wrote: Hello all, I'm trying to capture data from...
Re: [twitter-dev] Re: sqllite command for writing to local DB
Not java though. Thought this was the Android email list Sent from my DROID On Jan 24, 2010 7:41 PM, Kidd jva...@gmail.com wrote: Bump!!? On Jan 17, 3:38 pm, Kidd jva...@gmail.com wrote: Hello all, I'm trying to capture data from...
Re: [twitter-dev] Rate limits
If I am not mistaken, the reset time in seconds is the number of seconds from 1/1/1970. Ryan Sent from my DROID On Jan 24, 2010 8:42 PM, EastSideDev eastside...@gmail.com wrote: When I get the rate_limit_status.xml, this is what I get: Array ( [hash] = Array ( [hourly-limit] = Array ( [content] = 2 [attributes] = Array ( [type] = integer ) ) [reset-time-in-seconds] = Array ( [content] = 1264386634 [attributes] = Array ( [type] = integer ) ) [reset-time] = Array ( [content] = 2010-01-25T02:30:34+00:00 [attributes] = Array ( [type] = datetime ) ) [remaining-hits] = Array ( [content] = 2 [attributes] = Array ( [type] = integer ) ) ) ) The value for [reset-time-in-seconds] cannot be right. The reset time seems right, but I would rather work with an integer value. What am I doing wrong? Is this a Twitter API bug?
Re: [twitter-dev] Better understanding of 'signature'
That is one of your problems. The signature needs to be created for each request. Here is how I do it in C#. I know it's not the language you are using, but hopefully it will help on how to create the signature. Then you can use similar libraries in Flash(if there are similar libraries) to make your signature. http://codepaste.net/mhqqg3 http://codepaste.net/mhqqg3Ryan On Fri, Jan 22, 2010 at 2:11 PM, eco_bach bac...@gmail.com wrote: Hi My OAuth sign In process is failing to verify my signature, so I thought I should at least ensure I understand the meaning of the term. Every time my web application launches, it generates a unique signature, which doesn't change for the current session. ie, if I quit the application, then restart, a new signature is generated. This signature should be appended to the end of my initial request token request my access token request my verify credentials request and my status update requests. Am I correct in the above?
[twitter-dev] RETWEETS in Search API -- FROM filtering is not working
Hello, As @Sarah Richards reported earlier, we are being impacted across many of our web properties by a change in behavior in the Search API. Previously use of the FROM filter in the search API would only pull tweets that came directly from the user specified. Now the same search parameters result in both tweets from the user specified as well as retweets of the user from other accounts. Any updates on why this is happening? Ex: http://search.twitter.com/search?from=yelyahwilliams
[twitter-dev] Re: Retweets now showing
We are seeing the same behavior. Anyone know what's going on? On Jan 22, 4:48 am, Sarah Richards sarah.richard...@googlemail.com wrote: Hi, Today I've noticed that the search query I use: http://search.twitter.com/search.json?q=from%3Aschoolsforhope+OR+from... Is now also returning Re-tweets of posts, which we'd prefer not to show. Is this a change to the search? We've not noticed these appearing before. Thanks.
Re: [twitter-dev] Confused about OAuth 1.0 vs 1.0a and Twitter API docs
If you look at the very top of the 1.0 spec, you will see a yellow box... This specification was obsoleted by OAuth Core 1.0 Revision Ahttp://oauth.net/core/1.0a on June 24th, 2009 to address a session fixation attackhttp://oauth.net/advisories/2009-1/. The OAuth Core 1.0 Revision A specification is being obsoleted by the proposed IETF draft draft-hammer-oauthhttp://tools.ietf.org/html/draft-hammer-oauth. The draft is currently pending IESG approval before publication as an RFC. *Implementers should use draft-hammer-oauthhttp://tools.ietf.org/html/draft-hammer-oauth instead of this specification*. Here is the link to the 1.0a spec. http://oauth.net/core/1.0a/ Ryan On Fri, Jan 22, 2010 at 10:29 AM, Marc Hedlund marcprecip...@gmail.comwrote: I'm confused about the OAuth docs linked to from http://apiwiki.twitter.com/ -- especially these: http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-oauth-request_token http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-oauth-access_token Both of these link to the OAuth 1.0 spec for a list of required parameters. Shouldn't they link to the 1.0a spec instead? I came to the docs remembering the news story from last April about OAuth and session fixation vulnerabilities: http://oauth.net/advisories/2009-1/ http://hueniverse.com/2009/04/explaining-the-oauth-session-fixation-attack/ http://www.readwriteweb.com/archives/how_the_oauth_security_battle_was_won_open_web_sty.php And how it affected Twitter: http://blog.twitter.com/2009/04/whats-deal-with-oauth.html http://news.cnet.com/8301-13577_3-10225103-36.html But if you look at the API docs today, it's like none of this happened. I can't find 1.0a documented anywhere, and all but one of the code examples the docs link to continue to use the 1.0 token flow (only http://github.com/moomerman/twitter_oauth appears to get it right of the ones I checked -- http://github.com/henriklied/django-twitter-oauth and http://github.com/tav/tweetapp don't, for instance). http://apiwiki.twitter.com/OAuth+Example+-+Ruby isn't publicly visible. Session fixation isn't mentioned on the Security Best Practices page (http://apiwiki.twitter.com/Security-Best-Practices). 1.0 vs 1.0a isn't in the OAuth FAQ (http://apiwiki.twitter.com/OAuth- FAQ) or the main FAQ. (I do see http://groups.google.com/group/twitter-development-talk/browse_thread/thread/472500cfe9e7cdb9 and of course all the discussion of OAuth and the PIN problems for mobile apps.) Shouldn't the documentation point people towards the current spec, and show examples that implement it? Or is there some reason people are being pointed to 1.0? I'm asking because Tornado (http://www.tornadoweb.org/) provides a Twitter OAuth mixin in its auth module (http://github.com/facebook/ tornado/blob/master/tornado/auth.py) which uses the 1.0 token flow (as do all of the OAuth mixins in Tornado). Google OAuth implements 1.0a, and shows the user a security warning if the 1.0 flow is used, but Tornado makes this hard to implement using their auth module. I'm working on a patch to send them and want to know whether the Twitter OAuth mixin should be upgraded for 1.0a or if there's some reason it shouldn't. Thanks. (I'll stay on this list long enough to hear the discussion but will probably bail out after that, since it's a high-volume list and my interest is just in making the patch right.) -Marc
Re: [twitter-dev] Confused about OAuth 1.0 vs 1.0a and Twitter API docs
most likely, Twitter has other things to do and updating the API documentation isn't very high on the list. Ryan On Fri, Jan 22, 2010 at 4:40 PM, Marc Hedlund marcprecip...@gmail.comwrote: Yup, I know, that's what I'm asking. Why not link to and tell people to use 1.0a (or the IETF draft) rather than 1.0? For the record I checked all the other code examples and none of them support oauth_verifier (some do send oauth_callback with the first request), unless I'm missing something. http://github.com/moomerman/twitter_oauthis the only one that's up to date. -M On Jan 22, 2010, at 1:18 PM, ryan alford wrote: If you look at the very top of the 1.0 spec, you will see a yellow box... This specification was obsoleted by OAuth Core 1.0 Revision A on June 24th, 2009 to address a session fixation attack. The OAuth Core 1.0 Revision A specification is being obsoleted by the proposed IETF draft draft-hammer-oauth. The draft is currently pending IESG approval before publication as an RFC. Implementers should use draft-hammer-oauth instead of this specification. Here is the link to the 1.0a spec. http://oauth.net/core/1.0a/ Ryan On Fri, Jan 22, 2010 at 10:29 AM, Marc Hedlund marcprecip...@gmail.com wrote: I'm confused about the OAuth docs linked to from http://apiwiki.twitter.com/ -- especially these: http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-oauth-request_token http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-oauth-access_token Both of these link to the OAuth 1.0 spec for a list of required parameters. Shouldn't they link to the 1.0a spec instead? I came to the docs remembering the news story from last April about OAuth and session fixation vulnerabilities: http://oauth.net/advisories/2009-1/ http://hueniverse.com/2009/04/explaining-the-oauth-session-fixation-attack/ http://www.readwriteweb.com/archives/how_the_oauth_security_battle_was_won_open_web_sty.php And how it affected Twitter: http://blog.twitter.com/2009/04/whats-deal-with-oauth.html http://news.cnet.com/8301-13577_3-10225103-36.html But if you look at the API docs today, it's like none of this happened. I can't find 1.0a documented anywhere, and all but one of the code examples the docs link to continue to use the 1.0 token flow (only http://github.com/moomerman/twitter_oauth appears to get it right of the ones I checked -- http://github.com/henriklied/django-twitter-oauth and http://github.com/tav/tweetapp don't, for instance). http://apiwiki.twitter.com/OAuth+Example+-+Ruby isn't publicly visible. Session fixation isn't mentioned on the Security Best Practices page (http://apiwiki.twitter.com/Security-Best-Practices). 1.0 vs 1.0a isn't in the OAuth FAQ (http://apiwiki.twitter.com/OAuth- FAQ) or the main FAQ. (I do see http://groups.google.com/group/twitter-development-talk/browse_thread/thread/472500cfe9e7cdb9 and of course all the discussion of OAuth and the PIN problems for mobile apps.) Shouldn't the documentation point people towards the current spec, and show examples that implement it? Or is there some reason people are being pointed to 1.0? I'm asking because Tornado (http://www.tornadoweb.org/) provides a Twitter OAuth mixin in its auth module (http://github.com/facebook/ tornado/blob/master/tornado/auth.py) which uses the 1.0 token flow (as do all of the OAuth mixins in Tornado). Google OAuth implements 1.0a, and shows the user a security warning if the 1.0 flow is used, but Tornado makes this hard to implement using their auth module. I'm working on a patch to send them and want to know whether the Twitter OAuth mixin should be upgraded for 1.0a or if there's some reason it shouldn't. Thanks. (I'll stay on this list long enough to hear the discussion but will probably bail out after that, since it's a high-volume list and my interest is just in making the patch right.) -Marc
Re: [twitter-dev] Re: Not getting correct access token when using OAuth for sign in
The plus sign (+) in your signature should be encoded. You should URL encode the signature just as you do the other parameters. Ryan On Thu, Jan 21, 2010 at 2:25 PM, eco_bach bac...@gmail.com wrote: Hmm still not working, signature at the end. I believe I get an Httpstatus of '0' immediately after calling twitter.com/oauth/access_token Also, pretty sure that my oauth_token received is different than my original request token, AND I do ge the correct screen name returned, which led me to believe that it was the correct 'access token'. http://twitter.com/oauth/access_token?oauth_consumer_key=QGs6W7DlEx9Q3Ay4DzI0Wgoauth_nonce=E65BD866-C285-C8CE-7BA3-524FB8D8D0C0oauth_signature_method=HMAC-SHA1oauth_timestamp=1264101341oauth_token=OcVawxazvOQWYrDSonFdFRjskqaOOriClf6ULsPMoauth_signature=7kpl8+MxM6BtOZecDc1Y65qo0zo=
Re: [twitter-dev] temporarily overloaded 503 Service Unavailable
I don't think they user cares why Twitter is overloaded, so simply telling them that its overloaded should be enough. Ryan Sent from my DROID On Jan 20, 2010 7:13 AM, eco_bach bac...@gmail.com wrote: Noticing quite a few ' temporarily overloaded 503 Service Unavailable messages when trying to log in lately. I assume Twitter is aware of and trying to correct this, but in the meantime, when building applications, are there any guidelines or best practices to follow when your application is presented with a 503 status? SImple tell the user 'the service is unavailable, please try again later'? Or perhaps a more detailed message, explaining why the service is unavailable?
Re: [twitter-dev] Beginner question : How to get the user ID after authorize OAuth step?
The screen_name is returned in the querystring along with the oauth_token and the oauth_token_secret values. Ryan On Wed, Jan 20, 2010 at 6:26 AM, Pitt pierre.mar...@gmail.com wrote: Hi, I'm trying to implement a browser app and Im just blocking at the first step... After the user granted the access to his data (OAuth authorize step), I want to get the user's profile (users/show) but I don't know how to recover the user's id or screen_name... Sorry if I missed something in the API documentation but I really searched... ...And thank you in advance! :) Pitt
Re: [twitter-dev] Obtaining access token WITHOUT using a PIN
You DO NOT need the PIN for a browser app. It is ONLY REQUIRED for desktop apps. 1. oauth_consumer_key = Consumer key given to you by Twitter 2. oauth_token = The token 3. oauth_signature_method = HMAC-SHA1 4. oauth_signature = computed HMAC-SHA1 hash value of the other parameters 5. oauth_timestamp = the number of seconds since Jan 1 1970 6. oauth_nonce = a unique value. I would suggest using a GUID. For the signature, here is an example of what needs to be hashed: this is a GET request to rate_limit_status GEThttp%3A%2F%2Ftwitter.com%2Faccount%2Frate_limit_status.xmloauth_consumer_key%3DYourConsumerKey%26oauth_nonce%3D0f419e62-8680-468f-a647-0532706af529%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D126354%26oauth_token%3D36116361-8YRR4w9rRwz7HOc0nYTMmNWjCDrQdFYtnPwsiP7jm%26oauth_version%3D1.0 You would take this value and hash it. The KEY to the hash would be yourConsumerSecrettokenSecret, and tokenSecret is allowed to be blank for the cases where you don't have the secret. Even though the documentation says the oauth_version is optional, I include it anyway. Ryan On Wed, Jan 20, 2010 at 9:59 AM, eco_bach bac...@gmail.com wrote: Hi According to the offcial OAuth spec, in order to obtain an access token, the consumer request MUST contain the following parameters 1 oauth_consumer_key:The Consumer Key. 2 oauth_token:The Request Token obtained previously. 3 oauth_signature_method: The signature method the Consumer used to sign the request. 4 oauth_signature: The signature as defined in Signing Requests (Signing Requests). 5 oauth_timestamp: As defined in Nonce and Timestamp (Nonce and Timestamp). 6 oauth_nonce: As defined in Nonce and Timestamp (Nonce and Timestamp). I'm developing a web application in Flash and hence, NOT using the extra pin handshake. (at least I've been told it wasn't necessary, my Application Type is defined as 'Browser'). So far, I've been unsuccessful, 'verified'= false in my access token request handler. Can someone cofirm for me that I in fact don't need the PIN, and if so, do I need to explicitly define all six parametres above in my request? Thanks for any feedback!
Re: [twitter-dev] please help - sporadic '403 Forbidden:' error message when using OAuth Sign-In process
Isn't this the same problem that you posted about yesterday? http://groups.google.com/group/twitter-development-talk/browse_thread/thread/90cb64e3706e1337# http://groups.google.com/group/twitter-development-talk/browse_thread/thread/90cb64e3706e1337#Why create a new post? Ryan On Wed, Jan 20, 2010 at 10:29 AM, eco_bach bac...@gmail.com wrote: Building an actionscript Twitter client and using OAuth for the sign in process. Having an extrememely frustrating issue with a sporadic error message. '403 Forbidden: The server understood the request, but is refusing to fulfill it.' I'm using, of necessity, a php proxy to get to the Twitter oauth authenticate page at twitter.com/oauth/authenticate/ I get here no problem so I'm assuming there's nothing wrong with my proxy script. However, immediately AFTER clicking 'Sign In' I sometimes get the error message. Also, when I am getting the message, I can even leave the username and password fields blank and click 'Sign In'. I still get the error message, instead of a correct message indicating that the username- password fields are missing. Because this error only seems to happen sporadically, without me having changed anything in my code, it makes it difficult to troubleshoot properly. Anyone else experience this?
Re: [twitter-dev] Need Help on posting Message
You need to add this
messageRequest.ServicePoint.Expect100Continue = false;
so your code should look like this...
http://codepaste.net/ababkc
Ryan
On Wed, Jan 20, 2010 at 10:22 AM, Atul atul101...@gmail.com wrote:
Hello Frenz,
I'm building an application in C#.Net 3.5. My Requirement is to post
message to twitter user, defined by me in text box, on button click
i'm passing my credentials and user name with message but i' m getting
following error:-
the remote server returned an error 403 forbidden
My Code is Below:-
try
{
HttpWebRequest messageRequest = (HttpWebRequest)
WebRequest.Create(http://twitter.com/direct_messages/new.xml?user=; +
sendTo + text= + message);
messageRequest.Method = POST;
messageRequest.Credentials = new NetworkCredential
(username, password);
messageRequest.ContentLength = 0;
messageRequest.ContentType = application/x-www-form-
urlencoded;
WebResponse response = messageRequest.GetResponse();
}
catch(Exception ex)
{
MessageBox.Show(ex.Message);
}
any Help is Appreciated,
Re: [twitter-dev] Re: OAuth best practice
You are correct. The PIN handshaking is only for Desktop Apps. Ryan On Mon, Jan 18, 2010 at 9:12 AM, eco_bach bac...@gmail.com wrote: Jeff, I might be wrong, as there seems to be some confusion on this, but I believe the extra PIN handshaking is ONLY required for what Twitter defines as 'Desktop Apps'. See the response to my questions here http://bit.ly/5xbydH As a newcomer to OAuth and the Twitter API I'm currently muddling thru the whole proxy requirements(I'm using actionscript)
Re: [twitter-dev] Re: Basic Auth Deprecation in June
yes, it's official. The depreciation of Basic Auth will start in June. Ryan On Mon, Jan 18, 2010 at 10:57 AM, Hwee-Boon Yar hweeb...@gmail.com wrote: Thanks. Hope it's not official. I don't remember reading anything like that on the 2 lists. -- Hwee-Boon On Jan 18, 7:01 pm, Rich rhyl...@gmail.com wrote: Ryan Sarver said it last last yearhttp:// twitter.com/Scobleizer/status/6493268213 On Jan 17, 4:46 am, Hwee-Boon Yar hweeb...@gmail.com wrote: On Jan 14, 8:30 am, twittme_mobi nlupa...@googlemail.com wrote: Hello , Regarding Basic Auth Deprecation is June Any where this is announced? -- Hwee-Boon
Re: [twitter-dev] Re: OAuth best practice
Native mobile apps(native Android, native IPhone, etc., meaning they run on the device itself and NOT in the browser) are considered Desktop apps. Yes, the mobile UX is one of the biggest issues with Twitter's OAuth implementation. Ryan On Mon, Jan 18, 2010 at 11:35 AM, Jeff Enderwick jeff.enderw...@gmail.comwrote: Is a mobile app more like a desktop app or a web app? The PIN in the 'desktop' flow handles this in the 'non-desktop' flow: Once Jane approves the request, Faji marks the Request Token as User-authorized by Jane. Jane’s browser is redirected back to Beppa, to the URL previously provided http://beppa.com/order together with the Request Token. This allows Beppa to know it can now continue to fetch Jane’s photos. With desktop (and possibly unanticipated) mobile apps, there isn't that redirect back. I'm all for whatever makes the best UX for oath+mobile. On Mon, Jan 18, 2010 at 6:20 AM, ryan alford ryanalford...@gmail.comwrote: You are correct. The PIN handshaking is only for Desktop Apps. Ryan On Mon, Jan 18, 2010 at 9:12 AM, eco_bach bac...@gmail.com wrote: Jeff, I might be wrong, as there seems to be some confusion on this, but I believe the extra PIN handshaking is ONLY required for what Twitter defines as 'Desktop Apps'. See the response to my questions here http://bit.ly/5xbydH As a newcomer to OAuth and the Twitter API I'm currently muddling thru the whole proxy requirements(I'm using actionscript)
Re: [twitter-dev] Using OAuth keys in an open source application
You are reading it correct. You do not want to give out your Consumer Key or Consumer Secret. If somebody downloads the source of your application, they are most likely going to be using it in their own application. Therefore, they need their own Consumer Key and Consumer Secret. Ryan On Mon, Jan 18, 2010 at 12:56 PM, Isaiah supp...@yourhead.com wrote: So you're saying that each individual end-user of the open source app would register with Twitter for separate Twitter Application credentials, add those credentials to the app, and then recompile the application? Or did I read that incorrectly? Isaiah YourHead Software supp...@yourhead.com http://www.yourhead.com On Jan 18, 2010, at 9:46 AM, Raffi Krikorian wrote: that's precisely what i would do - author your code to read from a configuration file that contains the keys. don't distribute that configuration file, but, instead, distribute a README or an example configuration file that the end user would fill in. On Mon, Jan 18, 2010 at 9:43 AM, John Meyer john.l.me...@gmail.comwrote: On 1/18/2010 1:19 AM, Ryan McCue wrote: Hey guys, I'm looking to integrate Twitter posting into an application I'm developing. The catch to this is that because it's open source, and programmed in PHP, I'd have to distribute the secret key with it. What's the best way to go about this? I've fallen back onto the ordinary basic auth API for now. Thanks, Ryan. Technically, you don't. All opensource requires is that you distribute the source code, not the individual data. So you could specify that the secret key is in a particular file and then other users could insert their own secret key. -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
Re: [twitter-dev] Re: Using OAuth keys in an open source application
There is a difference between giving your application to others to install and use, and others downloading your code for their own applications. If a user is installing your application to use, then your code would include your consumer key. If a user is downloading your open source code to use for their own app, then they need to get their own consumer key to relate to their app. Ryan Sent from my DROID On Jan 18, 2010 2:18 PM, M. Edward (Ed) Borasky zzn...@gmail.com wrote: OK ... let me make *sure* I understand this. Is this the best practice?: 1. I write a desktop application. Whether it's closed or open source is irrelevant. I advertise this application for sale, saying, It runs on Windows, Macintosh and Linux desktops (KDE, Gnome, XFCE, let's say), it does all these wonderful things, *and* it's oAuth-secure! 2. I *sell* Bob a copy of my application. It contains code but *no* oAuth tokens of any kind. 3. Bob installs the application. Bob starts up the application. 4. The application starts up the browser and points it to http://twitter.com/apps/new, and directs Bob to do the following: 4.a. Log in to Twitter. 4.b. Fill in the form. I tried this with a dummy application, and the Application Name must be *unique*. So what does Bob put in this field? Bob's copy of Ed's wonderful application? 4.c. Now Bob has a consumer key and consumer secret, unique to *his* copy of the application, *not* generic to the application. 5. The application instructs him to enter the freshly-minted consumer key and secret via copy and paste into a dialog box, checks them for validity against the Twitter oAuth servers, and then stores them someplace that an attacker can't find them. This is, of course, platform dependent - the application needs special code for Windows, Mac, and at least two Linux desktops. See http://apiwiki.twitter.com/Security-Best-Practices for the application's responsibilities in this area. 6. OK, now Bob has registered the application with Twitter. He actually wants to use it now. The application starts up, picks up the stored consumer key and secret, starts up the browser again, and goes to the PIN-generation site. If Bob hasn't logged in to Twitter yet, that site will ask him to do so. Bob gets his PIN and copies it into a dialog box. The application does its thing, and Bob tweets about how wonderful it is that he can do all this stuff with Ed's wonderful application. I sell 3,000 copies of it, hire a support engineer, and make the front page of Mashable! ;-) But there's two ways I can go with this: 6.a. Grant Bob indefinite permission by getting the PIN once and storing the resulting tokens on his machine, again someplace that an attacker can't find them. 6.b. Require Bob to get a new PIN each time he uses the application. What's the best practice here? Personally, I'm leaning towards a new PIN each time as long as it isn't an impact to Twitter servers, because it exposes one less place for an attack. -- M. Edward (Ed) Borasky http://borasky-research.net/smart-at-znmeb A mathematician is a device for turning coffee into theorems. ~ Paul Erdős
Re: [twitter-dev] Re: Using OAuth keys in an open source application
Agreed. The reason you don't want to give out YOUR consumer key and consumer secret in your open-source code is because somebody could download your code, make malicious changes to make it do something bad, and now their app looks exactly like yours to Twitter since the consumer keys are the same. So when that app starts causing problems for users, it YOU that they start contacting. Ryan On Mon, Jan 18, 2010 at 2:32 PM, John Meyer john.l.me...@gmail.com wrote: On 1/18/2010 12:22 PM, ryan alford wrote: There is a difference between giving your application to others to install and use, and others downloading your code for their own applications. If a user is installing your application to use, then your code would include your consumer key. If a user is downloading your open source code to use for their own app, then they need to get their own consumer key to relate to their app. Ryan An addendum. If you were seriously concerned about others grabbing those codes you could specify that the app fetches those keys from an ftp server or some sort of web service that you ran. But I would guess that this would be a bit more paranoid than what you are trying to prevent.
Re: [twitter-dev] Re: Using OAuth keys in an open source application
Just the consumer key, or both the consumer key and consumer secret? both are needed when doing OAuth. Ryan On Mon, Jan 18, 2010 at 2:52 PM, M. Edward (Ed) Borasky zzn...@gmail.comwrote: On Jan 18, 11:32 am, John Meyer john.l.me...@gmail.com wrote: On 1/18/2010 12:22 PM, ryan alford wrote: There is a difference between giving your application to others to install and use, and others downloading your code for their own applications. If a user is installing your application to use, then your code would include your consumer key. Just the consumer key, or both the consumer key and consumer secret? If a user is downloading your open source code to use for their own app, then they need to get their own consumer key to relate to their app. Ryan An addendum. If you were seriously concerned about others grabbing those codes you could specify that the app fetches those keys from an ftp server or some sort of web service that you ran. But I would guess that this would be a bit more paranoid than what you are trying to prevent. The paranoia is directly from Twitter's Security Best Practices http://apiwiki.twitter.com/Security-Best-Practices: Don't store passwords. Just store OAuth tokens. Please. As aforementioned, for optimal security you should be using OAuth. But once you have a token with which to make requests on behalf of a user, where do you put it? Ideally, in an encrypted store managed by your operating system. On Mac OS X, this would be the Keychain. In the GNOME desktop environment, there's the Keyring. In the KDE desktop environment, there's KWallet. As an aside, 90% of the desktops/laptops out there run Windows. I'd hope that the Security Best Practices document would include a little more on dealing with Windows desktops than a link to the MSDN Security Developer Center. ;-) I think the FTP server idea is a good one - it gives me a log file of everyone who's obtained the consumer key and secret for Ed's Wonderful Desktop App, so when someone fires up a debugger, runs my app, grabs all the authentication codes and uses them to do a DOS attack on Twitter and gets my app blacklisted, I'll have a list of people for my attorney to call and depose. ;-) -- M. Edward (Ed) Borasky http://borasky-research.net/smart-at-znmeb A mathematician is a device for turning coffee into theorems. ~ Paul Erdős
Re: [twitter-dev] Re: Using OAuth keys in an open source application
Why would you be required to have a server? To keep your consumer key and consumer secret out of your app? It's not required. Mine are stored in a database that is coupled with my application. The database is password protected, so nobody is getting in. Ryan On Mon, Jan 18, 2010 at 4:27 PM, M. Edward (Ed) Borasky zzn...@gmail.comwrote: On Jan 18, 11:48 am, Dossy Shiobara do...@panoptic.com wrote: Seriously, are we still beating this dead old horse? Closed or open source doesn't matter. The fact that a consumer key and secret (!) are redistributed = design FAILURE. It's trivial to recover the consumer key and secret from a closed source application, which can in turn be used in a malicious application ... The consumer key and secret CANNOT be used as a form of application authentication. It's not trustworthy enough. This is an inherent design deficiency in OAuth. If that's the case, then *desktop* Twitter applications are not a viable business model. You *must* have a server, with the extra overhead that involves, and the extra cost that must be passed on to your customers, in order to protect yourself and Twitter from malicious users. Given the other limitations of the desktop application model, e.g., no production access to the Streaming API and no easy mobile deployment options, it's seriously looking like I am wasting my time developing desktop applications. Sigh ... off to do some more research ... -- M. Edward (Ed) Borasky http://borasky-research.net/smart-at-znmeb A mathematician is a device for turning coffee into theorems. ~ Paul Erdős
Re: [twitter-dev] Re: Using OAuth keys in an open source application
Also, the consumer secret is harder to get since its not sent as a parameter. Ryan Sent from my DROID On Jan 18, 2010 7:18 PM, Abraham Williams 4bra...@gmail.com wrote: It would be less work for me to run charles proxy and see catch the consumer key/secret in transit then to decompile it and figure out where in the code it is actually stored when distributed with the app. Previously with basicauth you could use anybodies source param and spoof their application. At least with OAuth you have to acquire their consumer key/secret first. You guys are all freaking out about this when this is how the internet works. Just look at email. With a single line of PHP I can send any of you an email from any email address.* Abraham *There technologies to stop this but very few mail servers use them. Currently Gmail refuses email from paypal.com unless it is signed by their key. On Mon, Jan 18, 2010 at 15:35, M. Edward (Ed) Borasky zzn...@gmail.com wrote: On Jan 18,... -- Abraham Williams | Moved to Seattle | May cause email delays Project | Intersect | http://intersect.labs.poseurtech.com Hacker | http://abrah.am | http://twitter.com/abraham This email is: [ ] shareable [x] ask first [ ] private.
Re: [twitter-dev] Using OAuth keys in an open source application
John Meyer wrote: Technically, you don't. All opensource requires is that you distribute the source code, not the individual data. So you could specify that the secret key is in a particular file and then other users could insert their own secret key. Right, so everyone would have to get their own API key? Sounds a bit counter intuitive to me. ryan alford wrote: You do not want to give out your Consumer Key or Consumer Secret. If somebody downloads the source of your application, they are most likely going to be using it in their own application. Therefore, they need their own Consumer Key and Consumer Secret. ryan alford wrote: There is a difference between giving your application to others to install and use, and others downloading your code for their own applications. The problem with that is that the application is written in PHP, so they need the source to run it, hence, any normal users would need to have an API key. -- Ryan McCue http://ryanmccue.info/
Re: [twitter-dev] Using OAuth keys in an open source application
PHP as in web-based? Why wouldn't the user just login to the website? Ryan Sent from my DROID On Jan 18, 2010 10:03 PM, Ryan McCue li...@rotorised.com wrote: John Meyer wrote: Technically, you don't. All opensource requires is that you distribute the so... Right, so everyone would have to get their own API key? Sounds a bit counter intuitive to me. ryan alford wrote: You do not want to give out your Consumer Key or Consumer Secret. If someb... ryan alford wrote:There is a difference between giving your application to others to install ... The problem with that is that the application is written in PHP, so they need the source to run it, hence, any normal users would need to have an API key. -- Ryan McCue http://ryanmccue.info/
Re: [twitter-dev] Using OAuth keys in an open source application
The consumer secret is not public. The consumer key can be seen in the query parameters, but the consumer secret is not a query parameter. It would have to be reverse engineered using the signature. If twitter determines that a specific application is malware, I would only hope that they would blacklist the app. Ryan Sent from my DROID On Jan 18, 2010 10:45 PM, Marc Mims marc.m...@gmail.com wrote: * Isaiah Carew isa...@me.com [100118 19:02]: If every person that uses an app accesses the API with their own personal app credentials that wou... Hopefully twitter suspends user accounts, not application access, when malicious activity is detected. Otherwise, all desktop apps, whether closed or open source, are vulnerable. It isn't difficult to extract the consumer key and secret from any desktop application that ships with them and use them in malicious code. Registering a consumer key/secret for every instance of a desktop application seems like an unreasonable requirement to place on users. So, I agree that isn't the solution. I certainly want to see the user count on my OAuth apps page for the desktop apps I release. Per user consumer keys not only prevent Twitter from application tracking, they also prevent the application developer from tracking it as well. Consider the consumer key and secret public for desktop apps. They are. -Marc
Re: [twitter-dev] Re: Using OAuth keys in an open source application
Who said that was even an option? I haven't seen one person who said that requiring every user to create their own consumer keys to use with an application was an option. The only reason that is even in this discussion is because somebody misinterpreted an answer and that's what they thought was meant. I have never seen one person from twitter even come close to suggesting this as an option. Raffi's answer in the third post was under the impression that the OP was referring to releasing his consumer keys as part of his open source code for others to download his CODE and use for their own applications. This is what Raffi was referring to when he said to use a configuration file to store the consumer keys and have a README file for the end user. The end user being the developer that downloaded the code. Ryan Sent from my DROID On Jan 18, 2010 11:53 PM, Marc Mims marc.m...@gmail.com wrote: * Abraham Williams 4bra...@gmail.com [100118 20:10]: If rolling out a new update is a burdon on you and your user you are doing it wrong. http://code... Rolling out a new version because someone compromised the consumer key pair is a burden. Are you prepared to roll out a new version every few minutes? -Marc
Re: [twitter-dev] Using OAuth keys in an open source application
ryan alford wrote: PHP as in web-based? Why wouldn't the user just login to the website? Ryan Yes, it's open source software that users run on their own servers. It is *not* a hosted service (if it was, it'd be fine). -- Ryan McCue http://ryanmccue.info/
Re: [twitter-dev] Using OAuth keys in an open source application
John Meyer wrote: No, the point I was trying to make was that you don't HAVE to distribute the key. Nothing in the open source license requires you to give that information to another person. You can distribute it if you want to, but you are perfectly free to give them the source code and tell them that if they want it to work they need to go get their own consumer keypair. In short, once you are done unit testing the product you can delete out those variables and tell them where to fill in their own information. Nothing in the open source license requires you to give that information anymore than it requires you to publicize what the root password on your mysql database server is. I'm aware of this, but the point is that it should actually work. This is made for end-users, not for developers to modify, and I'd rather not have everyone register separate API keys just to use it. -- Ryan McCue http://ryanmccue.info/
Re: [twitter-dev] Re: Failed to validate oauth signature and token
Yeah, the Nonce needs to be a unique value. If your language can create GUIDs, that might be the best option. Ryan On Sat, Jan 16, 2010 at 11:11 PM, eco_bach bac...@gmail.com wrote: solved, apparently my oauth_nonce value was incorrect, I assumed it was simply a random string and I didn't use the mx.utils.UIDUtil class to generate. I'll try also switching the order so the signature is at the end.
Re: [twitter-dev] Sign in with Twitter, PIN authentication and Desktop Clients
1. Desktop applications are those that are installed or ran from a PC /Mac/Linux or on a mobile device. They are outside of the browser. 2. One is used for web applications, the other is for desktop applications. 3. You are correct. PIN workflow is only for desktop applications. Ryan Sent from my DROID On Jan 17, 2010 5:00 PM, eco_bach bac...@gmail.com wrote: Hi Building an AS3 based web application using OAuth. So far I've coded a demo that successfully obtains a request token, redirects the user to the oauth url, and, on successful login redirects the user back to the previously supplied consumer- application URL. However somewhat confused by several things. 1)Definition of Desktop Clients http://apiwiki.twitter.com/Authentication Is a desktop client any web based application? or does it specifically refer to any application OUTSIDE of the browser (ie AIR based)? 2) SignIn with Twitter Can someone explain the difference between 'oauth/authorize' and 'oauth/authenticate' urls? What is meant by 'normal flow' (2nd paragraph) here http://apiwiki.twitter.com/Sign-in-with-Twitter 3) PIN handshake My assumption is that the extra PIN handshake is ONLY necessary for what I understand to be desktop clients (ie #1 above) So 'Sign in with Twitter' for a web-based application shouldn't require the extra PIN handshake. Am I correct? Thanks for any feedback on the above!
Re: [twitter-dev] Failed to validate oauth signature and token
The signature needs to be the very last parameter. You put all of the parameters in order except for the signature. Then you create the signature and append it to the end of the query string. Ryan Sent from my DROID On Jan 16, 2010 9:48 PM, eco_bach bac...@gmail.com wrote: Ok Yes this IS a common error message. I've read most of the posts, the entire OAuth beginner's documentation, registered my application, checked for capitalization , checked my system clock. So far, no luck As a base library I am using Sönke Rohde's open source Twitter library http://github.com/srohde/Twitter, though might switch to Tweetr and see if I make better progress. This is my header GET /oauth/request_token? oauth_consumer_key=C4eEz9MqGy28wuCj8hJC4woauth_nonce=0020a00%2001oauth_signature=gX9Uk20RF70D6sxljfvcIK4szr4%3Doauth_signature_method=HMAC- SHA1oauth_timestamp=1263675366 HTTP/1.1 Also , I am testing from the desktop at the moment so needing a proxy for security sandbox issues isn't a problem. Can anyone help with troubleshooting?
Re: [twitter-dev] List of Common Error messages and possible causes, ie 'Failed to validate oauth signature and token'.
Going by your other email, your query string parameters are not in the correct order. This is a very important part of OAuth. Ryan Sent from my DROID On Jan 16, 2010 9:48 PM, eco_bach bac...@gmail.com wrote: Hi I've read the FAQ, and all the documentation. Am attempting to get an AS3 client working using OaUth. I am getting the following error message 'Failed to validate oauth signature and token'. tried resetting my consumer key, secret, and also checked my system clock which seems fine. After a quick search this seems to be a VERY common error message with many possible causes. Is there a list somewhere of common error messages such as this with probable causes?
[twitter-dev] Re: Retrieving tweets of an employee
Indeed. I tried several other employees. Not all of them exhibited this behavior, but all of the users that did, were Twitter employees. If this is some magic, it would be better for it to throw a 404 or 401. I think most developers disregard 404s, but retry on 500. In my application, retrying on 500 led to an infinite loop. R. On Jan 14, 5:22 pm, Peter Denton petermden...@gmail.com wrote: yeah, perhaps some greg pass magic going on on the account behind the scenes. On Thu, Jan 14, 2010 at 5:18 PM, Ryan Rosario uclamath...@gmail.com wrote: count=200 worked for the hundreds of other users, just not this one. This seems like a bug. I can't even retrieve his tweets in Tweetie (Internal server error) R. On Jan 14, 5:12 pm, Peter Denton petermden...@gmail.com wrote: Well this seems to work: http://twitter.com/statuses/user_timeline/kevinweil.json?count=10page=1 On Thu, Jan 14, 2010 at 5:00 PM, Ryan Rosario uclamath...@gmail.com wrote: http://twitter.com/statuses/user_timeline/kevinweil.json?page=1count. .. yields File not Found in Firefox. In Safari, it downloads the 500 web page. R. On Jan 14, 4:51 pm, Peter Denton petermden...@gmail.com wrote: if you put the URL in the browser it works? On Thu, Jan 14, 2010 at 4:44 PM, Ryan Rosario uclamath...@gmail.com wrote: If I remove the count parameter from the Curl call, it works, but with any count parameter, I get a 500. On Jan 14, 4:39 pm, Ryan Rosario uclamath...@gmail.com wrote: kevinweil :) I logged out of my account and his tweets are publicly viewable. On Jan 14, 4:27 pm, Peter Denton petermden...@gmail.com wrote: do you have the username? they might be protected, but have given you access? On Thu, Jan 14, 2010 at 4:26 PM, Ryan Rosario uclamath...@gmail.com wrote: I am working on a project where I need to extract some tweets from my friends and followers. I follow a couple of employees of Twitter, and for some reason, I cannot retrieve the tweets for one of them. In Python urllib2, I get a 500 error. In my script, I retry upon a 500, but this profile consistently returns a 500 error. If I use curl to try to retrieve this user's tweets, I get a 500 web page (Thanks for noticing! We'll get on it or something like that) instead of a JSON error return. I can email privately which user I am talking about because I don't want to post it here unless it is ok. Is this is a random problem, or is there extra security on employee profiles? I also experience this problem when trying to list their tweets in Tweetie. TIA, Ryan
[twitter-dev] Re: Retrieving tweets of an employee
kevinweil :) I logged out of my account and his tweets are publicly viewable. On Jan 14, 4:27 pm, Peter Denton petermden...@gmail.com wrote: do you have the username? they might be protected, but have given you access? On Thu, Jan 14, 2010 at 4:26 PM, Ryan Rosario uclamath...@gmail.com wrote: I am working on a project where I need to extract some tweets from my friends and followers. I follow a couple of employees of Twitter, and for some reason, I cannot retrieve the tweets for one of them. In Python urllib2, I get a 500 error. In my script, I retry upon a 500, but this profile consistently returns a 500 error. If I use curl to try to retrieve this user's tweets, I get a 500 web page (Thanks for noticing! We'll get on it or something like that) instead of a JSON error return. I can email privately which user I am talking about because I don't want to post it here unless it is ok. Is this is a random problem, or is there extra security on employee profiles? I also experience this problem when trying to list their tweets in Tweetie. TIA, Ryan
[twitter-dev] Re: Retrieving tweets of an employee
If I remove the count parameter from the Curl call, it works, but with any count parameter, I get a 500. On Jan 14, 4:39 pm, Ryan Rosario uclamath...@gmail.com wrote: kevinweil :) I logged out of my account and his tweets are publicly viewable. On Jan 14, 4:27 pm, Peter Denton petermden...@gmail.com wrote: do you have the username? they might be protected, but have given you access? On Thu, Jan 14, 2010 at 4:26 PM, Ryan Rosario uclamath...@gmail.com wrote: I am working on a project where I need to extract some tweets from my friends and followers. I follow a couple of employees of Twitter, and for some reason, I cannot retrieve the tweets for one of them. In Python urllib2, I get a 500 error. In my script, I retry upon a 500, but this profile consistently returns a 500 error. If I use curl to try to retrieve this user's tweets, I get a 500 web page (Thanks for noticing! We'll get on it or something like that) instead of a JSON error return. I can email privately which user I am talking about because I don't want to post it here unless it is ok. Is this is a random problem, or is there extra security on employee profiles? I also experience this problem when trying to list their tweets in Tweetie. TIA, Ryan
[twitter-dev] Re: Retrieving tweets of an employee
http://twitter.com/statuses/user_timeline/kevinweil.json?page=1count=200 yields File not Found in Firefox. In Safari, it downloads the 500 web page. R. On Jan 14, 4:51 pm, Peter Denton petermden...@gmail.com wrote: if you put the URL in the browser it works? On Thu, Jan 14, 2010 at 4:44 PM, Ryan Rosario uclamath...@gmail.com wrote: If I remove the count parameter from the Curl call, it works, but with any count parameter, I get a 500. On Jan 14, 4:39 pm, Ryan Rosario uclamath...@gmail.com wrote: kevinweil :) I logged out of my account and his tweets are publicly viewable. On Jan 14, 4:27 pm, Peter Denton petermden...@gmail.com wrote: do you have the username? they might be protected, but have given you access? On Thu, Jan 14, 2010 at 4:26 PM, Ryan Rosario uclamath...@gmail.com wrote: I am working on a project where I need to extract some tweets from my friends and followers. I follow a couple of employees of Twitter, and for some reason, I cannot retrieve the tweets for one of them. In Python urllib2, I get a 500 error. In my script, I retry upon a 500, but this profile consistently returns a 500 error. If I use curl to try to retrieve this user's tweets, I get a 500 web page (Thanks for noticing! We'll get on it or something like that) instead of a JSON error return. I can email privately which user I am talking about because I don't want to post it here unless it is ok. Is this is a random problem, or is there extra security on employee profiles? I also experience this problem when trying to list their tweets in Tweetie. TIA, Ryan
Re: [twitter-dev] Question about Twitter use in library names
Duane, I've been able to follow up with our lawyers and they confirmed that it is ok to include Twitter in the name of libraries that developers build. Sorry it took so long to follow up, but I wanted to make sure we got a strong, final answer back before responding. Best, Ryan On Fri, Dec 4, 2009 at 1:39 PM, Duane Roelands duane.roela...@gmail.comwrote: A question for the Twitter team: I'm the developer and maintainer of an open source library called TwitterVB. Can I expect a nastygram from your lawyers at some point? Or is there some way I can have the project vetted to avoid such a thing in the future?
Re: [twitter-dev] Re: Reinstate 'from app' for Basic Auth desktop apps until OAuth is fixed
I've been using OAuth for more than 3 months now, about 8 hours a day during the week while at work, using my own library and my own twitter client. I've never had an issue with stability. Now the desktop implementation is crappy(been posted about 50 billion times), but other than that, I've never run into issues with OAuth. Now I don't use search or streaming, though I don't even know if those use OAuth. Is there a specific stability issue? Ryan On Wed, Jan 13, 2010 at 4:32 PM, Dewald Pretorius dpr...@gmail.com wrote: Raffi, As I have noted before, the reliability of OAuth is an actual concern. Also the availability of that easy one-time migration method (getting the OAuth stuff when you have the username and password). Twitter OAuth is still in beta. Ryan said that migration to OAuth will become mandatory this year. That cannot be done until you move Twitter OAuth into stable production mode. If you do not have the necessary confidence in your OAuth implementation to do that, then you cannot force anyone to use it. On Jan 12, 3:01 am, Raffi Krikorian ra...@twitter.com wrote: As it stands, developers who have relatively new desktop apps are penalized by having updates from their app say 'from web'. Older Basic Auth desktop clients continue to enjoy a link back to the client web site with a 'from app' link. ... I understand Twitter is trying to force people to use OAuth, but that won't happen in a meaningful way until OAuth is reliable, has a truly usable workflow (PIN method isn't it), and can work well with other services (Twitpic, yfrog, etc). We aren't there yet. i'm trying to gather use cases around OAuth to help it make sense for more people to use it -- as it stands, we are not going to allow the source parameter to be set in new applications unless they come from OAuth. so, please help me out! is the reliability of OAuth an actual concern? do you have a suggestion as to what you would like to see other than the PIN workflow? additionally, we're actively working on a delegation method for integration with other services. -- Raffi Krikorian Twitter Platform Teamhttp://twitter.com/raffi
Re: [twitter-dev] Re: Reinstate 'from app' for Basic Auth desktop apps until OAuth is fixed
I agree. I believe OAuth for mobile and the delegation between apps are the biggest concerns that need to be addressed before the depreciation of basic oauth in June. Both of these have been beaten to a pulp. However, these issues certainly do not push OAuth into an unstable beta state that couldn't be used in production apps. Ryan Sent from my DROID On Jan 13, 2010 5:46 PM, Tim Haines tmhai...@gmail.com wrote: On Thu, Jan 14, 2010 at 10:52 AM, ryan alford ryanalford...@gmail.com wrote: I've been using O... I've found it just as stable as the rest of the API. It's not perfect, but is generally pretty good. My main concern is that I'd like the mobile pages to be formatted for mobile devices. Oh - and the ability to delegate between apps. Sooo looking forward to that. Tim.
Re: [twitter-dev] Re: Support from a...@twitter.com sucks!!!
Dewald, I appreciate that the response email was probably not helpful to you, but there are reasons that the new zendesk-based system are greatly beneficial to the community. Surely we can tailor some of the responses so they are more specific to your inquiry (and we will do that), but it's important for us moving forward to have one ticketed channel that allows us to make sure we follow up to every response at scale. Previously those emails were coming into our personal inboxes where they could slip for weeks before we noticed them which left a developer hanging in the lurch the whole time. I would also ask of you that you assume the best of people's actions instead of following up with something as unconstructive as your first response. We are here working with you to continue to improve the system and a simple email calling out that the form response hadn't been helpful to you with a suggested email of what would have been more helpful is something we can work with you on. We are committed to building the best support we can and that can only be done through feedback from everyone on what is working and what isn't. We actually aren't getting a lot of resumes for the Developer Advocate role, so anyone on this list is interested in helping the community or knows of someone who is, please pass them along. The upside is if they do get hired they'll be in your debt :) So again, I do appreciate and hope you continue to give us feedback on how we are doing, but I hope in the future that it is in a more constructive format than your email here. Thanks, Ryan On Tue, Jan 12, 2010 at 7:59 AM, Dewald Pretorius dpr...@gmail.com wrote: Twitter support in the past has been great. That is why it was such a shock and disappointment to get that absolutely worthless canned reply to my request. And it wasn't an automated reply from the Zendesk system. The reply was manually sent many hours later. It was clearly from someone who knows absolutely nothing about the Platform. Why is such a person even looking at and responding to tickets sent to api[at]twitter.com? On this forum, Twitter staff always tell us to send support requests, debug info, etc., to api[at]twitter.com. With all the millions in cash that Twitter has in the bank, one really does not want to hear about staff shortages. On Jan 12, 4:27 am, Tim Haines tmhai...@gmail.com wrote: Twitter's been trying to hire new support staff for quite a while now. You'll probably remember Doug's email. From what I can determine, they've had no luck finding people, because it's still the engineers answering questions in here. They're stretched. Saying something sucks and following it with !!! probably doesn't help the moral of the guys who are helping - often out of hours from what I can see. I feel the frustration too, but there's definitely more constructive things you can do about it. Why not send out a tweet, or message to your other networks saying Twitter's looking for support staff? Tim. On Tue, Jan 12, 2010 at 5:50 PM, Dewald Pretorius dpr...@gmail.com wrote: I sent very specific questions to a...@twitter.com, not knowing that it is now being automatically fed into the Zendesk Twitter helpdesk system. The answer I received back consisted of: - I suggest that you check out the API wiki for this information: http://apiwiki.twitter.com/. We also have a very active and helpful community athttp://groups.google.com/group/twitter-development-talk, where our API team interacts with developers on a regular basis. You may want to join the group to participate in conversations about topics like these. Hope that helps, Support -- Well, F-ING D-UH!! Thanks for nothing.
Re: [twitter-dev] question about PIN code
When you direct the user to oauth/authorize, the user will be presented with an Allow/Deny page from Twitter. If they Allow, they then will be given an PIN on the screen. The user will need to give this PIN to you. Ryan On Tue, Jan 12, 2010 at 7:59 PM, dduby nezzi...@gmail.com wrote: hi,,, i am trying to make mobile app for Android. For athenticaion, i followed this procedure. i got concumer key and secret key,, problem is , i don't know how to generate PIN code.. is there any web site? please answer my question. The application uses oauth/request_token to obtain a request token from twitter.com. The application directs the user to oauth/authorize on twitter.com. After obtaining approval from the user, a prompt on twitter.com will display a 7 digit PIN. The user is instructed to copy this PIN and return to the appliction. The application will prompt the user to enter the PIN from step 4. The application uses the PIN as the value for the oauth_verifier parameter in a call to oauth/access_token which will verify the PIN and exchange a request_token for an access_token. Twitter will return an access_token for the application to generate subsequent OAuth signatures.
Re: [twitter-dev] Re: Please Help
You are don't have the parameters in the proper order. The signature goes last. The rest of the parameters must be in order. Put the parameters in order, create the signature, then append the signature to the end or the query string. Ryan Sent from my DROID On Jan 6, 2010 2:05 AM, Vikram vikram.prav...@gmail.com wrote: This my query string https://twitter.com/oauth/request_token?oauth_signature=dIjtVqiRK %2BnWo5UYRSSs6WWwKII %3Doauth_callback=ooboauth_consumer_key=gUutCG9HjEOT0N8IxvW9woauth_nonce=hO3CY2tN7OblsYdp0sOoThPRGEMypcWdM1PMoauth_signature_method=HMAC- SHA1oauth_timestamp=1262716897oauth_version=1.0a
Re: [twitter-dev] Please Help
Post your query string. Don't necessarily need to see the code yet, just need to see the URL that you are requesting. The error means that your signature is incorrect. Ryan On Tue, Jan 5, 2010 at 2:06 PM, Vikram vikram.prav...@gmail.com wrote: When I try to get the QAuth Request token I get Failed to validate oauth signature and token error message from twitter. What can be the possible reason? If required I can share my entire code with you people.
Re: [twitter-dev] Re: Skipping the PIN based workflow for Desktop clients using OAuth
In the Desktop workflow, you don't have to enter the PIN every time. The user is NOT required to authorize your application every time they want to use it.After the first authorization, YOU store the access token and access token secret either in a database, file, or some other type of storage mechanism. You use those stored values until they expire(which could be never). Ryan On Sun, Jan 3, 2010 at 9:44 AM, Vikram vikram.prav...@gmail.com wrote: @Duane Roelands I am working on desktop app,but the fact that I need a PIN for trading my request tokens for OAuth Access tokens made me look at PHP route. My idea was to use PHP get the access tokens and then use them in my desktop app. The rationale behind this was that I didn't want user to be entering PIN every time. With PHP I could use the callback URL for automatically getting the access tokens. @srikanth reddy Srikanth how can I make the PIN entering a one time process. If I save the access tokens will I be able to use them in the next instance of my App??
Re: [twitter-dev] Removing Registered Application
You can revoke access from the Connections tab in the Settings on the web site. Ryan Sent from my DROID On Jan 3, 2010 7:56 PM, Greg gregory.av...@gmail.com wrote: Is it possible to remove a application that you registered? Like delete it from your list?
[twitter-dev] Platform announcements from LeWeb
Hey all, Now that the dust has settled a bit and we are in the midst of the holidays I wanted to email everyone and provide some more details on the announcements we made a few weeks ago at LeWeb. *50,000 apps* We are continually amazed by all the incredible work the ecosystem does as a whole and we proud that developers have created over 50,000 applications that allow people to experience Twitter in so many different ways. We are really looking forward to what 2010 has in store as we put more emphasis on supporting the ecosystem better and maturing as a platform. We are humbled by and appreciative all the hard work you do. Please continue to give us feedback -- both good and bad -- on how we can support you better in your efforts to build awesome apps. *Auth announcements* With the recent launches of Retweet, Lists and Geotagging we have seen applications struggle to provide the experience they want for their users within the 150 req/hr limit. We are excited to open the skies up a bit and provide some more room for developers to work within. Starting in a few weeks all OAuth requests to api.twitter.com/1/ will be able to take advantage of a 10x rate limit increase. Basic Whitelisting still exists and is unchanged. We look forward to what this means in terms of the increased richness around the user experience in Twitter apps. *Developer Site* From the beginning we have used a disparate set of tools to help support the community -- from the apiwiki, to code.google.com for issues to this mailing group. It was a great way to get started quickly with fairly robust tools, but we need a place for developers to start from and help them find the right answers to their questions and help them solve their problems. We have announced a new Developer Site that begins to consolidate these communications channels and tools into a single place while adding some new, exciting tools to help developers. There will be new reference documentation, search, API console, API status dashboard (external monitoring service) and clearer documentation of policies. We are investing heavily in this area and will continue to improve the tools and content for the ecosystem to make sure that you have everything you need to get started and for continued support. We are really interested in getting your feedback on what will create a great site, so please let us know your wishlist of things that will help you be a more informed and more efficient developer. *Chirp - Twitter Developer Conference* Personally one of the most exciting announcements is that we will be throwing the first official Twitter Developer Conference which we are calling Chirp. It will be a two day event focused on equipping developers with all the tools they need to go forth and build great things. Day One will be filled with speakers from Twitter and the ecosystem talking about a broad range of topics like our roadmap, the Streaming API, how to develop desktop applications, sentiment analysis, user research and more. At the end of Day One we will kick off a 24-hour hack event with lots of great announcements and surprises already lined up. We'll also be filling Day Two with some workshops on specific topics for developers who want to dive deep in certain areas. There are lots of great surprises in store for the event and we hope to see lots of you there. *Firehose for everyone* Finally, the announcement that has garnered the most coverage and excitement. As I stated in the session at LeWeb we are committed to providing a framework for any company big or small, rich or poor to do a deal with us to get access to the Firehose in the same way we did deals with Google and Microsoft. We want everyone to have the opportunity -- terms will vary based on a number of variables but we want a two-person startup in a garage to have the same opportunity to build great things with the full feed that someone with a billion dollar market cap does. There are still a lot of details to be fleshed out and communicated, but this a top priority for us and we look forward to what types of companies and products get built on top of this unique and rich stream. Sorry for the long-winded email, but there is lots of really exciting stuff for us to be talking about. As always, we are very interested in getting your feedback on the announcements and more generally on how we can continue to improve how we work together. As I said a few times in the session, our success is dependent on your success so please let us know what we can do to help make you successful. Happy holidays, Ryan
Re: [twitter-dev] Question about Twitter use in library names
Just wanted to follow up with everyone and let you know we are still on this and haven't forgotten about the thread. Hopefully will have an answer for you soon. Best, Ryan 2009/12/5 Ryan Sarver rsar...@twitter.com Duane, We definitely don't want to be sending any nastygrams, especially for something that helps the community. I put a note into our legal / marks department so that I can get an answer back to you and everyone else. Please bear with us as it could take a bit, but I'll get you an answer. Best, Ryan On Fri, Dec 4, 2009 at 1:39 PM, Duane Roelands duane.roela...@gmail.comwrote: A question for the Twitter team: I'm the developer and maintainer of an open source library called TwitterVB. Can I expect a nastygram from your lawyers at some point? Or is there some way I can have the project vetted to avoid such a thing in the future?
