Re: [twitter-dev] Twitter Fail Whale All Morning

[Ryan Alford]

I've been getting it all morning.

Ryan

On Wed, Jun 9, 2010 at 12:08 PM, Ron B  wrote:

> Is anyone else hearing complaints about Twitter Fail Whale popping up
> practically continuously all morning?
>

Re: [twitter-dev] how do we get the via on Tweets

[Ryan Alford]

You have to use OAuth.

http://apiwiki.twitter.com/FAQ#HowdoIget“fromMyApp”appendedtoupdatessentfrommyAPIapplication


Ryan

On Wed, Mar 10, 2010 at 4:02 PM, pranzb  wrote:

> Hello all,
>
> I wanted to know how do we get our client name at the end of every
> tweet. Like for eg: At the end of a tweet, the website says "via API"
> or "via TweetDeck". I wanted to know how do we get that to be our
> client name like Tweetdeck did?
>
> Thanks,
>
> Pranz B
>

Re: [twitter-dev] Pin-based authorization via .NET

[Ryan Alford]

Why are you using PIN based authorization for web applications?  Web
applications don't use PINs.

Ryan

Sent from my DROID

On Mar 7, 2010 4:59 PM, "Ricky"  wrote:

I'm working on version 2 of Twitterizer, a .NET library for using the
Twitter API, but I've run into a weird issue with pin-based OAuth. I
have a sample web application and a sample desktop application. From
the web application I am able to perform pin-based authentication
without any issues, but through the desktop application every call for
access tokens are refused with "Invalid oauth_verifier parameter."
I've stepped through the code (non-stop for an hour) and I'm sure that
the exact code is executing for each call. I've tried changing the
calls to GET, instead of POST, and the results are the same. From the
web app it works great, from the desktop app, not so much.

Using fiddler, I've captured the HTTP request/response from each, and
they look exactly the same (to me).

Here is the call from the web application (works):
POST http://twitter.com/oauth/access_token?oauth_verifier=2068385 HTTP/
1.1
Content-Type: application/x-www-form-urlencoded
Authorization: OAuth realm="Twitter
API",oauth_consumer_key="Ds8w95QVNTITV16pqMwtHA",oauth_nonce="6E723378",oauth_signature_method="HMAC-
SHA1",oauth_timestamp="1267995036",oauth_token="Vy5cCHkomrAKocY9c8J18hAEf1PJ2ONwBtQxmdGGaI",oauth_version="1.0",oauth_signature="OU3Qfi2tq
%2Fwyaij0NezCARqLVCA%3D"
User-Agent: Twitterizer/2.0.0.0
Host: twitter.com

And here is the call from the desktop application (does not work):
POST http://twitter.com/oauth/access_token?oauth_verifier=541907 HTTP/
1.1
Content-Type: application/x-www-form-urlencoded
Authorization: OAuth realm="Twitter
API",oauth_consumer_key="Ds8w95QVNTITV16pqMwtHA",oauth_nonce="7F8D82E3",oauth_signature_method="HMAC-
SHA1",oauth_timestamp="1267995086",oauth_token="uTcERUybyJF0WKi77w5dPCTZbwO7DZJX1hQuJK0fg",oauth_version="1.0",oauth_signature="iUUcdVtM
%2B4nxfDKrqPqElE9IPgY%3D"
User-Agent: Twitterizer/2.0.0.0
Host: twitter.com

The response body is:


 /oauth/access_token?oauth_verifier=541907
 Invalid oauth_verifier parameter


This may be more of a .NET question, as there may be some kind of
nuance when making requests through a windows application, but I
thought it might be worth my time to ask everyone, in case I'm doing
something dumb (it happens).

Thanks for your time,
Ricky
www.twitterizer.net

Re: [twitter-dev] Re: OAuth newbie question

[Ryan Alford]

The token is a posted parameter.  The secret is part of the key for the
signature.

Ryan

On Sat, Mar 6, 2010 at 5:55 PM, IDOLpeeps  wrote:

> I've overcome the nuances of generating the oauth signature.  It
> shocks me that the API documentation provides no clear indication of
> how to send the tokens along with an API call.  It's not even a PHP-
> specific question.  Simply put: Where do the "oauth_token" and
> "oauth_token_secret" get embedded in API call: As posted parameters?
> If so, with what parameter names?  Can anybody provide guidance?  I
> have seen many people ask this question, yet see no answer.
>
> As far as why one would want to use their own library vs. somebody
> else's, that's a question for the ages.  One specific answer is that
> many of us have created our own application-specific libraries that
> accommodate traditional http authentication and we'd like to keep our
> libraries when we add Oauth.  To do so, it's best to have an answer to
> this question.
>
> Thank you.
>

Re: [twitter-dev] Re: OAuth Rate Limit Increase - Not seeing it

[Ryan Alford]

Thanks

Ryan

Sent from my DROID

On Mar 4, 2010 5:41 AM, "Nik Fletcher"  wrote:

Hi Guys

http://code.google.com/p/twitter-api/issues/detail?id=1501

Cheers

-N


On Mar 3, 9:42 pm, Milen  wrote:
> I couldn't agree more, it's pretty l...

Re: [twitter-dev] Re: OAuth Rate Limit Increase - Not seeing it

[Ryan Alford]

I just want to ask how you guys handle the following situation.  And please
correct anything that is incorrect.

The user starts up your application, and they have exhausted all of their
rate limit(using another application).  Your application does not know this
when it is first starting because you haven't made a rate limited request
yet.  You now make the rate limited request, and you get the "403:
Forbidden" error back.  I can only assume that Twitter will send the
"X-Ratelimit-Limit" header with the response error.

Does your application allow this request and then process the error, set the
rate limit information(you would need the date to tell the user when the
rate limit will reset), and go about your business?  In my app, I do a rate
limit check before making the request(using the account/rate_limit_status
method).  Since I can no longer do this(since that method returns 150
instead of 350), I was wondering how others handle this.

Just my personal opinion, but I think it's a horrible decision to have the
rate limiting headers ONLY returned for rate limited methods.  This now
requires me to make a rate limited call just to get the rate limit, which
brings the previous scenario into play.

Thanks,

Ryan

On Wed, Mar 3, 2010 at 9:44 AM, Ryan Alford  wrote:

> I was able to get that working.  I didn't notice that those headers were
> only sent for requests that counted against the rate limit.
>
> Ryan
>
>
> On Tue, Mar 2, 2010 at 6:33 PM, twittelator  wrote:
>
>> I reported this bug yesterday. Instead of making that extra call, why
>> not look at the response headers which come back with each API ACCESS
>> - you'll get the info you need:
>>
>>"X-Ratelimit-Limit" = 150;
>>"X-Ratelimit-Remaining" = 133;
>>"X-Ratelimit-Reset" = 1267576025;
>>
>> Andrew Stone
>> Twitter / @twittelator
>> http://www.stone.com
>>
>> got iPhone?
>>http://j.mp/twitpro
>>http://j.mp/tweettv-app
>>
>> On Mar 2, 11:47 am, eclipsed4utoo  wrote:
>> > I thought that the OAuth Rate Limit went up to 350?  I am still
>> > getting 150.
>> >
>> > Here is the returned XML from my request tohttp://
>> api.twitter.com/1/account/rate_limit_status.xml
>> >
>> > 
>> > 
>> >   2010-03-02T19:42:28+00:00
>> >   150
>> >   1267558948> > seconds>
>> >   150
>> > 
>> >
>> > I am using OAuth and using the new "version" of the REST API.  What
>> > else do I need to do?
>>
>
>

Re: [twitter-dev] Re: OAuth Rate Limit Increase - Not seeing it

[Ryan Alford]

I was able to get that working.  I didn't notice that those headers were
only sent for requests that counted against the rate limit.

Ryan

On Tue, Mar 2, 2010 at 6:33 PM, twittelator  wrote:

> I reported this bug yesterday. Instead of making that extra call, why
> not look at the response headers which come back with each API ACCESS
> - you'll get the info you need:
>
>"X-Ratelimit-Limit" = 150;
>"X-Ratelimit-Remaining" = 133;
>"X-Ratelimit-Reset" = 1267576025;
>
> Andrew Stone
> Twitter / @twittelator
> http://www.stone.com
>
> got iPhone?
>http://j.mp/twitpro
>http://j.mp/tweettv-app
>
> On Mar 2, 11:47 am, eclipsed4utoo  wrote:
> > I thought that the OAuth Rate Limit went up to 350?  I am still
> > getting 150.
> >
> > Here is the returned XML from my request tohttp://
> api.twitter.com/1/account/rate_limit_status.xml
> >
> > 
> > 
> >   2010-03-02T19:42:28+00:00
> >   150
> >   1267558948 > seconds>
> >   150
> > 
> >
> > I am using OAuth and using the new "version" of the REST API.  What
> > else do I need to do?
>

Re: [twitter-dev] Re: OAuth rate limit question

[Ryan Alford]

Just to add, I also get the 150 rate limit when using the
account/rate_limit_status method.  I am using OAuth and api.twitter.com.

Ryan

On Wed, Mar 3, 2010 at 8:57 AM, Raffi Krikorian  wrote:

> Well - it seems to me that rate limit status may have an issue with it.  We
> will have to take a look.
>
>
>
>
> On Mar 3, 2010, at 2:56 AM, Nik Fletcher  wrote:
>
>  Hey Raffi
>>
>> So, would Twitter prefer that clients use the headers instead of
>> relying on the (now misleading) account/rate_limit_status method to
>> verify the rate limit?
>>
>>
>> http://apiwiki.twitter.com/Twitter-REST-API-Method:-account%C2%A0rate_limit_status
>>
>> As, even with Oauth-signed requests, this method is still returning
>> 150 per hour.
>>
>> Thanks!
>>
>> Nik
>>
>> On Mar 3, 7:26 am, Raffi Krikorian  wrote:
>>
>>> are you connecting via oauth to api.twitter.com?  if so, then please
>>> take a
>>> look at the rate limit headers and let me know what you see?
>>>
>>> On Tue, Mar 2, 2010 at 10:48 PM, Ben Novakovic >> >wrote:
>>>
>>>
>>>
>>>
>>>
>>>  Hi,

>>>
>>>  I have been reading about twitter api limits lately as a lot of my
 users are exhausting their 150reqs/h on a fairly regular basis. I came
 across the following post and noticed that if users login with OAuth,
 they are given 350 reqs/hr.

>>>
>>>  http://groups.google.com/group/twitter-development-talk/msg/b09f2a332.
 ..

>>>
>>>  This was fair enough as you guys are trying to make twitter more
 secure (good work!); so we set about implementing OAuth on our client.
 We completed the implementation today, but fail to see the 350 reqs/
 hr. We are still being limited by the 150 reqs/hr. I was just
 wondering whether there was something special we needed to do to get
 our req limits up to 350 for those users who login to our client with
 OAuth.

>>>
>>>  Just to give you some background info, the client is a mobile web
 based client and all requests to twitter are made on our server on
 behalf of our users. If they are logged in with OAuth, the appropriate
 OAuth details are also handed through as part of the request.

>>>
>>>  We know they are using OAuth as our 'updated via xxx' changes with
 using OAuth.

>>>
>>>  Any help would be greatly appreciated!

>>>
>>>  Thanks!
 Ben

>>>
>>> --
>>> Raffi Krikorian
>>> Twitter Platform Teamhttp://twitter.com/raffi
>>>
>>

Re: [twitter-dev] Re: forcing api.twitter.com resources - tomorrow

[Ryan Alford]

So the OAuth methods have not been moved to api.twitter.com?  If not, then
what is going to happen when those OAuth requests go to twitter.com?  Are
they going to be blocked?

Ryan

On Tue, Mar 2, 2010 at 5:03 PM, Raffi Krikorian  wrote:

> anything going to twitter.com (and not api.twitter.com), will stick with
> twitter.com.
>
>
> On Tue, Mar 2, 2010 at 1:23 PM, Dewald Pretorius 
> wrote:
>
>> Raffi,
>>
>> Can you please clarify how and/or if OAuth will be affected.
>>
>> My OAuth token and authorize requests also go to twitter.com, not
>> api.twitter.com.
>>
>> On Mar 2, 4:35 pm, Ryan Alford  wrote:
>> > Does OAuth go to the api.twitter.com?  The API documentation still has
>> the 4
>> > OAuth methods going to twitter.com.
>> >
>> > http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-request_token
>> > <
>> http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-request_token>
>> http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-authorize
>> > <http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-authorize>
>> http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-authenticate
>> > <http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-authenticate
>> >http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-access_token
>> >
>> > <http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-access_token
>> >Ryan
>> >
>> > On Tue, Mar 2, 2010 at 3:31 PM, Raffi Krikorian 
>> wrote:
>> > > hi all.
>> >
>> > > tomorrow we're going to put an operational change in place that will
>> force
>> > > all traffic that is addressed tohttp://api.twitter.comto go to
>> instances
>> > > that are specifically serving api.twitter.com code.  what does this
>> mean
>> > > for you?  if you're only using documented api.twitter.com methods
>> (and not
>> > > calling any undocumented methods that have been designed to support
>> > > twitter.com), then this means absolutely nothing to you :P
>> >
>> > > just giving a heads up - we'll be actively monitoring the list and
>> we'll
>> > > try to be in IRC when it happens in case there are any hiccups.
>> >
>> > > --
>> > > Raffi Krikorian
>> > > Twitter Platform Team
>> > >http://twitter.com/raffi
>>
>
>
>
> --
> Raffi Krikorian
> Twitter Platform Team
> http://twitter.com/raffi
>

Re: [twitter-dev] forcing api.twitter.com resources - tomorrow

[Ryan Alford]

Does OAuth go to the api.twitter.com?  The API documentation still has the 4
OAuth methods going to twitter.com.

http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-request_token

http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-authorize

http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-authenticate

http://apiwiki.twitter.com/Twitter-REST-API-Method:-oauth-access_token

Ryan

On Tue, Mar 2, 2010 at 3:31 PM, Raffi Krikorian  wrote:

> hi all.
>
> tomorrow we're going to put an operational change in place that will force
> all traffic that is addressed to http://api.twitter.com to go to instances
> that are specifically serving api.twitter.com code.  what does this mean
> for you?  if you're only using documented api.twitter.com methods (and not
> calling any undocumented methods that have been designed to support
> twitter.com), then this means absolutely nothing to you :P
>
> just giving a heads up - we'll be actively monitoring the list and we'll
> try to be in IRC when it happens in case there are any hiccups.
>
> --
> Raffi Krikorian
> Twitter Platform Team
> http://twitter.com/raffi
>

Re: [twitter-dev] Re: 401 - Unauthorized error when diacritics in status

[Ryan Alford]

Thanks Mageuzi.  I had done some searching be never came across that thread.
 Guess I wasn't searching for the right words.

Thanks.

On Tue, Feb 23, 2010 at 2:45 PM, Mageuzi  wrote:

> I'm not sure if this is the same issue you are encountering, but I had
> a similar issue in my C# twitter app.  The post I made is here:
>
>
> http://groups.google.com/group/twitter-development-talk/browse_thread/thread/ef11efdd0a9cf194/6950ce9721a48609#6950ce9721a48609
>
>
> On Feb 23, 2:13 pm, Ryan Alford  wrote:
> > I think it is the way that .Net handles encoding of the diacritics.  I
> don't
> > think it's a Twitter api issue.  I was hoping that another .Net developer
> > had run into this issue and had fixed it.
> >
> > Ryan
> >
> > On Tue, Feb 23, 2010 at 2:07 PM, Raffi Krikorian 
> wrote:
> > > this would be news to me - if you have a way to replicate this, and you
> are
> > > confident its not your oauth libraries, then please let me know.
> >
> > > On Tue, Feb 23, 2010 at 11:04 AM, Ryan Alford  >wrote:
> >
> > >> I believe it has been fixed in some libraries in other programming
> > >> languages, but I can't figure out how to do it in .Net.
> >
> > >> Ryan
> >
> > >> On Tue, Feb 23, 2010 at 12:38 PM, Aral Balkan  >wrote:
> >
> > >>> Ooh, if this is the case then it will definitely stop me from using
> oAuth
> > >>> for Feathers (http://feathersapp.com) since diacritics are an
> essential
> > >>> part of Unicode art.
> >
> > >>> Very interested in hearing what you find out.
> >
> > >>> All the best,
> > >>> Aral
> >
> > >>> On Tue, Feb 23, 2010 at 1:44 PM, eclipsed4utoo <
> ryanalford...@gmail.com>wrote:
> >
> > >>>> I am getting an error message when posting accent marks and other
> > >>>> diacritics in a status update.
> >
> > >>>> I saw that there was an issue [1] posted in April of last year about
> > >>>> this problem.  It seems to be with the signature generation for
> OAuth
> > >>>> with the encoding of accent marks.
> >
> > >>>> I am using .Net(C#), and I can't figure out how to fix this.  Do I
> use
> > >>>> a different encoding?  Anybody have any ideas on how to fix this
> > >>>> in .Net?
> >
> > >>>> [1] -http://code.google.com/p/twitter-api/issues/detail?id=433
> >
> > >>>> Ryan
> >
> > > --
> > > Raffi Krikorian
> > > Twitter Platform Team
> > >http://twitter.com/raffi
>

Re: [twitter-dev] 401 - Unauthorized error when diacritics in status

[Ryan Alford]

I think it is the way that .Net handles encoding of the diacritics.  I don't
think it's a Twitter api issue.  I was hoping that another .Net developer
had run into this issue and had fixed it.

Ryan

On Tue, Feb 23, 2010 at 2:07 PM, Raffi Krikorian  wrote:

> this would be news to me - if you have a way to replicate this, and you are
> confident its not your oauth libraries, then please let me know.
>
>
> On Tue, Feb 23, 2010 at 11:04 AM, Ryan Alford wrote:
>
>> I believe it has been fixed in some libraries in other programming
>> languages, but I can't figure out how to do it in .Net.
>>
>> Ryan
>>
>>
>> On Tue, Feb 23, 2010 at 12:38 PM, Aral Balkan wrote:
>>
>>> Ooh, if this is the case then it will definitely stop me from using oAuth
>>> for Feathers (http://feathersapp.com) since diacritics are an essential
>>> part of Unicode art.
>>>
>>> Very interested in hearing what you find out.
>>>
>>> All the best,
>>> Aral
>>>
>>>
>>> On Tue, Feb 23, 2010 at 1:44 PM, eclipsed4utoo 
>>> wrote:
>>>
>>>> I am getting an error message when posting accent marks and other
>>>> diacritics in a status update.
>>>>
>>>> I saw that there was an issue [1] posted in April of last year about
>>>> this problem.  It seems to be with the signature generation for OAuth
>>>> with the encoding of accent marks.
>>>>
>>>> I am using .Net(C#), and I can't figure out how to fix this.  Do I use
>>>> a different encoding?  Anybody have any ideas on how to fix this
>>>> in .Net?
>>>>
>>>> [1] - http://code.google.com/p/twitter-api/issues/detail?id=433
>>>>
>>>> Ryan
>>>>
>>>
>>>
>>
>
>
> --
> Raffi Krikorian
> Twitter Platform Team
> http://twitter.com/raffi
>

Re: [twitter-dev] 401 - Unauthorized error when diacritics in status

[Ryan Alford]

I believe it has been fixed in some libraries in other programming
languages, but I can't figure out how to do it in .Net.

Ryan

On Tue, Feb 23, 2010 at 12:38 PM, Aral Balkan  wrote:

> Ooh, if this is the case then it will definitely stop me from using oAuth
> for Feathers (http://feathersapp.com) since diacritics are an essential
> part of Unicode art.
>
> Very interested in hearing what you find out.
>
> All the best,
> Aral
>
>
> On Tue, Feb 23, 2010 at 1:44 PM, eclipsed4utoo wrote:
>
>> I am getting an error message when posting accent marks and other
>> diacritics in a status update.
>>
>> I saw that there was an issue [1] posted in April of last year about
>> this problem.  It seems to be with the signature generation for OAuth
>> with the encoding of accent marks.
>>
>> I am using .Net(C#), and I can't figure out how to fix this.  Do I use
>> a different encoding?  Anybody have any ideas on how to fix this
>> in .Net?
>>
>> [1] - http://code.google.com/p/twitter-api/issues/detail?id=433
>>
>> Ryan
>>
>
>

Re: [twitter-dev] Which api url to use?

[Ryan Alford]

The documentation for the 4 OAuth methods do not show the versioning URL.  I
didn't know if they were moved over or not.

Ryan

Sent from my DROID

On Feb 22, 2010 2:08 PM, "Raffi Krikorian"  wrote:

the API wiki docs were painstakingly converted to use the
api.twitter.com/1endpoint.  if you spot a place we missed, feel free
to pass it along!

thanks!



On Mon, Feb 22, 2010 at 10:33 AM, Isaiah Carew  wrote:
>
> i'm bound to forget thi...

Re: [twitter-dev] Which api url to use?

[Ryan Alford]

Its actually listed on all of the twitter api method pages, except for the
OAuth methods.

Ryan

Sent from my DROID

On Feb 22, 2010 1:58 PM, "Isaiah Carew"  wrote:

i'm bound to forget this in about an hour.  is this old/new versioned/not
listed somewhere in the API docs?



On Feb 22, 2010, at 9:42 AM, Ryan Alford wrote:

> Yes, those are the ones I am talking about.
>
>...

Re: [twitter-dev] Which api url to use?

[Ryan Alford]

Yes, those are the ones I am talking about.

Ryan

On Mon, Feb 22, 2010 at 12:41 PM, Raffi Krikorian  wrote:

> hi ryan.
>
> yup - those are the original update methods, right?  like
>
> http://twitter.com/statuses/update.xml
> http://twitter.com/statuses/update.json
>
> we haven't set a deprecation date for those yet - but developers should
> plan on it.  please start to migrate to the api.twitter.com/1/ URLs.
>
>
> On Mon, Feb 22, 2010 at 9:26 AM, Ryan Alford wrote:
>
>> Raffi,
>>
>> Just so you know, "http://twitter.com/statuses/update.format"; also works.
>>  That's what I have been using in my app until today(moved to the
>> versioning).
>>
>> Ryan
>>
>>
>> On Mon, Feb 22, 2010 at 12:23 PM, Raffi Krikorian wrote:
>>
>>> yeah - please use the /1 URLs.  if api.twitter.com works without /1,
>>> then that's inadvertent, and we'll probably "fix" that.
>>>
>>>
>>> On Mon, Feb 22, 2010 at 9:18 AM, Ryan Alford wrote:
>>>
>>>> I *believe* Twitter is moving to "versioning" the API(which is what the
>>>> "/1/" means..it's version 1).  So I would use the URL with the "/1/", since
>>>> the other way be deprecated in the future.
>>>>
>>>> Ryan
>>>>
>>>>
>>>> On Mon, Feb 22, 2010 at 11:19 AM, Dmitri Snytkine >>> > wrote:
>>>>
>>>>> Is there a difference between using
>>>>> http://api.twitter.com/1/statuses/update.format
>>>>> and
>>>>> http://api.twitter.com/statuses/update.format  (without the /1/)?
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Raffi Krikorian
>>> Twitter Platform Team
>>> http://twitter.com/raffi
>>>
>>
>>
>
>
> --
> Raffi Krikorian
> Twitter Platform Team
> http://twitter.com/raffi
>

Re: [twitter-dev] Which api url to use?

[Ryan Alford]

Raffi,

Just so you know, "http://twitter.com/statuses/update.format"; also works.
 That's what I have been using in my app until today(moved to the
versioning).

Ryan

On Mon, Feb 22, 2010 at 12:23 PM, Raffi Krikorian  wrote:

> yeah - please use the /1 URLs.  if api.twitter.com works without /1, then
> that's inadvertent, and we'll probably "fix" that.
>
>
> On Mon, Feb 22, 2010 at 9:18 AM, Ryan Alford wrote:
>
>> I *believe* Twitter is moving to "versioning" the API(which is what the
>> "/1/" means..it's version 1).  So I would use the URL with the "/1/", since
>> the other way be deprecated in the future.
>>
>> Ryan
>>
>>
>> On Mon, Feb 22, 2010 at 11:19 AM, Dmitri Snytkine 
>> wrote:
>>
>>> Is there a difference between using
>>> http://api.twitter.com/1/statuses/update.format
>>> and
>>> http://api.twitter.com/statuses/update.format  (without the /1/)?
>>>
>>
>>
>
>
> --
> Raffi Krikorian
> Twitter Platform Team
> http://twitter.com/raffi
>

Re: [twitter-dev] Which api url to use?

[Ryan Alford]

I *believe* Twitter is moving to "versioning" the API(which is what the
"/1/" means..it's version 1).  So I would use the URL with the "/1/", since
the other way be deprecated in the future.

Ryan

On Mon, Feb 22, 2010 at 11:19 AM, Dmitri Snytkine wrote:

> Is there a difference between using
> http://api.twitter.com/1/statuses/update.format
> and
> http://api.twitter.com/statuses/update.format  (without the /1/)?
>

Re: [twitter-dev] Re: Oauth Signatures

[Ryan Alford]

In my testing, I got the 401 error when posting a simple status such as
"testing testing" instead of normalizing it to "testing%20testing".  I can't
tell if it's the "invalid signature" error since I can't figure out how to
see that in .Net, but I can see that it's the "401: Unauthorized" error.

Ryan

On Thu, Feb 18, 2010 at 3:03 PM, Dewald Pretorius  wrote:

> Ryan,
>
> Is that with just plain ASCII in the update text that you get a 401
> when not normalized?
>
> The bulk of my signatures work fine, and I'm not normalizing at this
> point. It's just now and again that Twitter says 401 Invalid signature
> on a status update. So, I wondering if the text has some strange
> characters that cause a discrepancy between my sig calc and their sig
> check.
>
> On Feb 18, 3:13 pm, Ryan Alford  wrote:
> > I just tried it and I do get the 401 Unauthorized error when I don't
> > normalize the status text.
> >
> > Ryan
> >
> > On Thu, Feb 18, 2010 at 1:07 PM, Dewald Pretorius 
> wrote:
> > > Can computing the OAuth signature on un-normalized tweet text cause
> > > Incorrect Signature issues?
>

Re: [twitter-dev] Oauth Signatures

[Ryan Alford]

I just tried it and I do get the 401 Unauthorized error when I don't
normalize the status text.

Ryan

On Thu, Feb 18, 2010 at 1:07 PM, Dewald Pretorius  wrote:

> Can computing the OAuth signature on un-normalized tweet text cause
> Incorrect Signature issues?
>

Re: [twitter-dev] Re: oauth request token failing

[Ryan Alford]

That looks fine.

Are you using the Consumer Secret as the key to the hash?

Ryan

On Thu, Feb 18, 2010 at 9:10 AM, Berto  wrote:

> GET&http%3A%2F%2Ftwitter.com%2Foauth%2Frequest_token&oauth_consumer_key
> %3D8hvUTsGttoOBN2ygbDVJw%26oauth_nonce
> %3D1266502068%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp
> %3D1266501208%26oauth_version%3D1.0
>
> On Feb 18, 8:04 am, Ryan Alford  wrote:
> > Can you post the string that you hash to create the signature?
> >
> > Ryan
> >
> > On Thu, Feb 18, 2010 at 8:42 AM, Berto  wrote:
> > > Even with the URL like this:
> >
> > >http://twitter.com/oauth/request_token?oauth_consumer_key=
> > >
> &oauth_nonce=1266501098&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1266500348&oauth_version=1.0&oauth_signature=eGALeAVpxt4CB%2FuHfkLq51%2FWXRk%3D
> >
> > > It still fails for me.  I've gotta be missing something obvious.  Does
> > > anything need to go into my header?
> >
> > > On Feb 17, 9:47 pm, Ryan Alford  wrote:
> > > > You order all parameters EXCEPT the signature, then create the
> signature,
> > > > then append the signature to the end.  All other parameters should be
> in
> > > > order.
> >
> > > > Ryan
> >
> > > > On Wed, Feb 17, 2010 at 6:42 PM, Berto  wrote:
> > > > > I thought that was only for the signature which is in the right
> > > > > order?
> >
> > > > > Ryan Alford wrote:
> > > > > > Your querystring parameters are in the wrong order.  You have the
> > > > > > oauth_nonce AFTER oauth_timestamp.  It needs to be before it.
>  The
> > > > > > parameters must be in order.
> >
> > > > > > Ryan
> >
> > > > > > Sent from my DROID
> >
> > > > > > On Feb 17, 2010 6:18 PM, "Berto"  wrote:
> >
> > > > > > To answer the first email, I was doing that so I could put it in
> the
> > > > > > request header's authorization field to get this effect:
> >
> > > > > > (Taken from oauth.net)
> > > > > > Authorization: OAuth realm="http://sp.example.com/";,
> > > > > >oauth_consumer_key="0685bd9184jfhq22",
> > > > > >oauth_token="ad180jjd733klru7",
> > > > > >oauth_signature_method="HMAC-SHA1",
> > > > > >
>  oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
> > > > > >oauth_timestamp="137131200",
> > > > > >oauth_nonce="4572616e48616d6d65724c61686176",
> > > > > >oauth_version="1.0"
> >
> > > > > > Then, I thought it might need to go into the WWW-Authenticate
> field
> > > as
> > > > > > opposed to the Authorization field so I tried that too with no
> > > > > > success.
> >
> > > > > > I've also just tried formatting them as GET parameters and
> attaching
> > > > > > them to the request URL, but that isn't working either.  It would
> > > look
> > > > > > like:
> >
> > > > > >http://twitter.com/oauth/request_token?oauth_consumer_key=
> >
> > >
> &oauth_signature_method=HMAC-SHA1&oauth_timestamp=1266440918&oauth_nonce=1266440928&oauth_version=1.0&oauth_signature=l%2BYDrTyWGpvDu3owDlVQLakzVns%3D
> >
> > > > > > On Feb 17, 3:52 pm, Ryan Alford  wrote:
> > > > > > > Can you post the URL with querys...
> > > > > > > On Wed, Feb 17, 2010 at 4:51 PM, Ryan Alford <
> > > ryanalford...@gmail.com
> > > > > > >wrote:
> >
> > > > > > > > Why are you doing this?
> >
> > > > > > > > StringBuilder params = new StringBuilder();
> > > > > > > > ...
> >
> > > > > > > > On Wed, Feb 17, 2010 at 2:37 PM, Berto 
> > > wrote:
> >
> > > > > > > >> Hey guys,
> >
> > > > > > > >> I'm w...
>

Re: [twitter-dev] Re: oauth request token failing

[Ryan Alford]

Can you post the string that you hash to create the signature?

Ryan

On Thu, Feb 18, 2010 at 8:42 AM, Berto  wrote:

> Even with the URL like this:
>
> http://twitter.com/oauth/request_token?oauth_consumer_key=
> &oauth_nonce=1266501098&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1266500348&oauth_version=1.0&oauth_signature=eGALeAVpxt4CB%2FuHfkLq51%2FWXRk%3D
>
> It still fails for me.  I've gotta be missing something obvious.  Does
> anything need to go into my header?
>
> On Feb 17, 9:47 pm, Ryan Alford  wrote:
> > You order all parameters EXCEPT the signature, then create the signature,
> > then append the signature to the end.  All other parameters should be in
> > order.
> >
> > Ryan
> >
> > On Wed, Feb 17, 2010 at 6:42 PM, Berto  wrote:
> > > I thought that was only for the signature which is in the right
> > > order?
> >
> > > Ryan Alford wrote:
> > > > Your querystring parameters are in the wrong order.  You have the
> > > > oauth_nonce AFTER oauth_timestamp.  It needs to be before it.  The
> > > > parameters must be in order.
> >
> > > > Ryan
> >
> > > > Sent from my DROID
> >
> > > > On Feb 17, 2010 6:18 PM, "Berto"  wrote:
> >
> > > > To answer the first email, I was doing that so I could put it in the
> > > > request header's authorization field to get this effect:
> >
> > > > (Taken from oauth.net)
> > > > Authorization: OAuth realm="http://sp.example.com/";,
> > > >oauth_consumer_key="0685bd9184jfhq22",
> > > >oauth_token="ad180jjd733klru7",
> > > >oauth_signature_method="HMAC-SHA1",
> > > >oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
> > > >oauth_timestamp="137131200",
> > > >oauth_nonce="4572616e48616d6d65724c61686176",
> > > >oauth_version="1.0"
> >
> > > > Then, I thought it might need to go into the WWW-Authenticate field
> as
> > > > opposed to the Authorization field so I tried that too with no
> > > > success.
> >
> > > > I've also just tried formatting them as GET parameters and attaching
> > > > them to the request URL, but that isn't working either.  It would
> look
> > > > like:
> >
> > > >http://twitter.com/oauth/request_token?oauth_consumer_key=
> >
> > >
> &oauth_signature_method=HMAC-SHA1&oauth_timestamp=1266440918&oauth_nonce=1266440928&oauth_version=1.0&oauth_signature=l%2BYDrTyWGpvDu3owDlVQLakzVns%3D
> >
> > > > On Feb 17, 3:52 pm, Ryan Alford  wrote:
> > > > > Can you post the URL with querys...
> > > > > On Wed, Feb 17, 2010 at 4:51 PM, Ryan Alford <
> ryanalford...@gmail.com
> > > > >wrote:
> >
> > > > > > Why are you doing this?
> >
> > > > > > StringBuilder params = new StringBuilder();
> > > > > > ...
> >
> > > > > > On Wed, Feb 17, 2010 at 2:37 PM, Berto 
> wrote:
> >
> > > > > >> Hey guys,
> >
> > > > > >> I'm w...
>

Re: [twitter-dev] Re: oauth request token failing

[Ryan Alford]

You order all parameters EXCEPT the signature, then create the signature,
then append the signature to the end.  All other parameters should be in
order.

Ryan

On Wed, Feb 17, 2010 at 6:42 PM, Berto  wrote:

> I thought that was only for the signature which is in the right
> order?
>
> Ryan Alford wrote:
> > Your querystring parameters are in the wrong order.  You have the
> > oauth_nonce AFTER oauth_timestamp.  It needs to be before it.  The
> > parameters must be in order.
> >
> > Ryan
> >
> > Sent from my DROID
> >
> > On Feb 17, 2010 6:18 PM, "Berto"  wrote:
> >
> > To answer the first email, I was doing that so I could put it in the
> > request header's authorization field to get this effect:
> >
> > (Taken from oauth.net)
> > Authorization: OAuth realm="http://sp.example.com/";,
> >oauth_consumer_key="0685bd9184jfhq22",
> >oauth_token="ad180jjd733klru7",
> >oauth_signature_method="HMAC-SHA1",
> >oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
> >oauth_timestamp="137131200",
> >oauth_nonce="4572616e48616d6d65724c61686176",
> >oauth_version="1.0"
> >
> > Then, I thought it might need to go into the WWW-Authenticate field as
> > opposed to the Authorization field so I tried that too with no
> > success.
> >
> > I've also just tried formatting them as GET parameters and attaching
> > them to the request URL, but that isn't working either.  It would look
> > like:
> >
> > http://twitter.com/oauth/request_token?oauth_consumer_key=
> >
> &oauth_signature_method=HMAC-SHA1&oauth_timestamp=1266440918&oauth_nonce=1266440928&oauth_version=1.0&oauth_signature=l%2BYDrTyWGpvDu3owDlVQLakzVns%3D
> >
> >
> > On Feb 17, 3:52 pm, Ryan Alford  wrote:
> > > Can you post the URL with querys...
> > > On Wed, Feb 17, 2010 at 4:51 PM, Ryan Alford  > >wrote:
> >
> > >
> > > > Why are you doing this?
> > >
> > > > StringBuilder params = new StringBuilder();
> > > > ...
> >
> > > > On Wed, Feb 17, 2010 at 2:37 PM, Berto  wrote:
> > >
> > > >> Hey guys,
> > >
> > > >> I'm w...
>

Re: [twitter-dev] Re: oauth request token failing

[Ryan Alford]

Your querystring parameters are in the wrong order.  You have the
oauth_nonce AFTER oauth_timestamp.  It needs to be before it.  The
parameters must be in order.

Ryan

Sent from my DROID

On Feb 17, 2010 6:18 PM, "Berto"  wrote:

To answer the first email, I was doing that so I could put it in the
request header's authorization field to get this effect:

(Taken from oauth.net)
Authorization: OAuth realm="http://sp.example.com/";,
   oauth_consumer_key="0685bd9184jfhq22",
   oauth_token="ad180jjd733klru7",
   oauth_signature_method="HMAC-SHA1",
   oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
   oauth_timestamp="137131200",
   oauth_nonce="4572616e48616d6d65724c61686176",
   oauth_version="1.0"

Then, I thought it might need to go into the WWW-Authenticate field as
opposed to the Authorization field so I tried that too with no
success.

I've also just tried formatting them as GET parameters and attaching
them to the request URL, but that isn't working either.  It would look
like:

http://twitter.com/oauth/request_token?oauth_consumer_key=
&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1266440918&oauth_nonce=1266440928&oauth_version=1.0&oauth_signature=l%2BYDrTyWGpvDu3owDlVQLakzVns%3D


On Feb 17, 3:52 pm, Ryan Alford  wrote:
> Can you post the URL with querys...
> On Wed, Feb 17, 2010 at 4:51 PM, Ryan Alford wrote:

>
> > Why are you doing this?
>
> > StringBuilder params = new StringBuilder();
> > ...

> > On Wed, Feb 17, 2010 at 2:37 PM, Berto  wrote:
>
> >> Hey guys,
>
> >> I'm w...

Re: [twitter-dev] oauth request token failing

[Ryan Alford]

Can you post the URL with querystring parameters when you make the request?

Ryan

On Wed, Feb 17, 2010 at 4:51 PM, Ryan Alford wrote:

> Why are you doing this?
>
> StringBuilder params = new StringBuilder();
>params.append(encode("oauth_consumer_key"));
>params.append("=\"");
>params.append(encode(CONSUMER_KEY));
>params.append("\", ");
>params.append(encode("oauth_signature_method"));
>params.append("=\"");
>params.append(encode("HMAC-SHA1"));
>params.append("\", ");
>params.append(encode("oauth_signature"));
>params.append("=\"");
>params.append(encode(sig));
>params.append("\", ");
>params.append(encode("oauth_timestamp"));
>params.append("=\"");
>params.append(encode(Long.toString(timestamp)));
>params.append("\", ");
>params.append(encode("oauth_nonce"));
>params.append("=\"");
>params.append(encode(Long.toString(timestamp +
> tmp.nextInt(1000;
>params.append("\", ");
>params.append(encode("oauth_version"));
>params.append("=\"");
>params.append(encode("1.0"));
>params.append("\"");
>
> Are you putting quotation marks around the values?
>
> Ryan
>
> On Wed, Feb 17, 2010 at 2:37 PM, Berto  wrote:
>
>> Hey guys,
>>
>> I'm writing a client in java and trying to use oauth to get an access
>> token.  However, I keep getting an IOException which essentially means
>> I'm getting an HTTP 401 error back (unauthorized).  I've verified that
>> my signature algorithm is correct by using some provided examples over
>> at oauth.net, but nothing seems to be working for me.  Does the
>> consumer key need an & after it?  I'm using the exact values provided
>> via the register oauth client page.  Here's a snippet of the code:
>>
>> HttpURLConnection connection = null;
>>BufferedReader reader = null;
>>StringBuilder responseBuilder;
>>Date date = new Date();
>>long time = date.getTime();
>>long timestamp = time / 1000;
>>Random tmp = new Random();
>>
>>try {
>>StringBuilder stuff = new StringBuilder();
>>stuff.append(encode("oauth_consumer_key"));
>>stuff.append("=");
>>stuff.append(encode(CONSUMER_KEY));
>>stuff.append("&");
>>stuff.append(encode("oauth_nonce"));
>>stuff.append("=");
>>stuff.append(encode(Long.toString(timestamp +
>> tmp.nextInt(1000;
>>stuff.append("&");
>>stuff.append(encode("oauth_signature_method"));
>>stuff.append("=");
>>stuff.append(encode("HMAC-SHA1"));
>>stuff.append("&");
>>stuff.append(encode("oauth_timestamp"));
>>stuff.append("=");
>>stuff.append(encode(Long.toString(timestamp)));
>>stuff.append("&");
>>stuff.append(encode("oauth_version"));
>>stuff.append("=");
>>stuff.append(encode("1.0"));
>>
>>StringBuffer base = new
>> StringBuffer("GET").append("&")
>>.append(encode("http://twitter.com/oauth/
>> request_token")).append("&");
>>base.append(encode(stuff.toString()));
>>String oauthBaseString = base.toString();
>>
>>String sig = signature(oauthBaseString,
>> CONSUMER_SECRET);
>>
>>StringBuilder params = new StringBuilder();
>>params.append(encode("oauth_consumer_key"));
>>params.append("=\"");
>>params.append(encode(CONSUMER_KEY));
>>params.append("\", ");
>>

Re: [twitter-dev] oauth request token failing

[Ryan Alford]

Why are you doing this?

StringBuilder params = new StringBuilder();
   params.append(encode("oauth_consumer_key"));
   params.append("=\"");
   params.append(encode(CONSUMER_KEY));
   params.append("\", ");
   params.append(encode("oauth_signature_method"));
   params.append("=\"");
   params.append(encode("HMAC-SHA1"));
   params.append("\", ");
   params.append(encode("oauth_signature"));
   params.append("=\"");
   params.append(encode(sig));
   params.append("\", ");
   params.append(encode("oauth_timestamp"));
   params.append("=\"");
   params.append(encode(Long.toString(timestamp)));
   params.append("\", ");
   params.append(encode("oauth_nonce"));
   params.append("=\"");
   params.append(encode(Long.toString(timestamp +
tmp.nextInt(1000;
   params.append("\", ");
   params.append(encode("oauth_version"));
   params.append("=\"");
   params.append(encode("1.0"));
   params.append("\"");

Are you putting quotation marks around the values?

Ryan

On Wed, Feb 17, 2010 at 2:37 PM, Berto  wrote:

> Hey guys,
>
> I'm writing a client in java and trying to use oauth to get an access
> token.  However, I keep getting an IOException which essentially means
> I'm getting an HTTP 401 error back (unauthorized).  I've verified that
> my signature algorithm is correct by using some provided examples over
> at oauth.net, but nothing seems to be working for me.  Does the
> consumer key need an & after it?  I'm using the exact values provided
> via the register oauth client page.  Here's a snippet of the code:
>
> HttpURLConnection connection = null;
>BufferedReader reader = null;
>StringBuilder responseBuilder;
>Date date = new Date();
>long time = date.getTime();
>long timestamp = time / 1000;
>Random tmp = new Random();
>
>try {
>StringBuilder stuff = new StringBuilder();
>stuff.append(encode("oauth_consumer_key"));
>stuff.append("=");
>stuff.append(encode(CONSUMER_KEY));
>stuff.append("&");
>stuff.append(encode("oauth_nonce"));
>stuff.append("=");
>stuff.append(encode(Long.toString(timestamp +
> tmp.nextInt(1000;
>stuff.append("&");
>stuff.append(encode("oauth_signature_method"));
>stuff.append("=");
>stuff.append(encode("HMAC-SHA1"));
>stuff.append("&");
>stuff.append(encode("oauth_timestamp"));
>stuff.append("=");
>stuff.append(encode(Long.toString(timestamp)));
>stuff.append("&");
>stuff.append(encode("oauth_version"));
>stuff.append("=");
>stuff.append(encode("1.0"));
>
>StringBuffer base = new
> StringBuffer("GET").append("&")
>.append(encode("http://twitter.com/oauth/
> request_token")).append("&");
>base.append(encode(stuff.toString()));
>String oauthBaseString = base.toString();
>
>String sig = signature(oauthBaseString,
> CONSUMER_SECRET);
>
>StringBuilder params = new StringBuilder();
>params.append(encode("oauth_consumer_key"));
>params.append("=\"");
>params.append(encode(CONSUMER_KEY));
>params.append("\", ");
>params.append(encode("oauth_signature_method"));
>params.append("=\"");
>params.append(encode("HMAC-SHA1"));
>params.append("\", ");
>params.append(encode("oauth_signature"));
>params.append("=\"");
>params.append(encode(sig));
>params.append("\", ");
>params.append(encode("oauth_timestamp"));
>params.append("=\"");
>params.append(encode(Long.toString(timestamp)));
>params.append("\", ");
>params.append(encode("oauth_nonce"));
>params.append("=\"");
>params.append(encode(Long.toString(timestamp +
> tmp.nextInt(1000;
>params.append("\", ");
>params.append(encode("oauth_version"));
>params.append("=\"");
>params.append(encode("1.0"));
>params.append("\"");
>
>// Prepare the connection
>URL url = new URL("http://twitter.com/oauth/
> request_token");
>connection = (HttpURLConnection) url.openConnection();
>connection.setRequestMethod("GET");
>
>conne

Re: [twitter-dev] Re: Application Suspended

[Ryan Alford]

Is it even worst that Raffi has seen this thread and posted in it, and still
not a peep?  You would think that he would look into it and help out, or
contact somebody that could look into it.  It's seems like they just have
their head in the sand.

Ryan

On Tue, Feb 16, 2010 at 9:13 AM, Jim Fulford  wrote:

> 5 Days not and applicatin is still down and no response at all from
> Twitter on my Support Ticket.
>
> Beware of Oauth, Twitter can disable your site in a second with no
> notice.  I have still not gotten any feedback, communication of any
> kind.  The only nice thing about this process is that my users have
> been patient and understanding.  Wish I could say the same about
> Twitter.  See Below
>
> --
> easyduzzit sent a message using the contact form at
> http://www.gotwitr.com/contact.
>
> When I look in my Twitter connections your service appears as
> follows:
> "GoTwitr by Phazer Systems Suspended."
>
> I'd appreciate knowing if there is anything your customers can do to
> let Twitter know we appreciate your service.
>
>
>
>
>

Re: [twitter-dev] Re: What's up with OAuth?

[Ryan Alford]

If I am not mistaken, the oauth_verifier is for the PIN.  So if you are not
a desktop app, then its not required.

Ryan

Sent from my DROID

On Feb 14, 2010 1:04 AM, "jon"  wrote:

It worked for a one time oauth conversion for about 3000 accounts (i
ran a batch job across five processes and think it took an hour or so
to finish)-- however, that was back in may.  the script was also
written pre oauth 1.0a, so there's no oauth_verifier. I'm not sure if
that's required now.


On Feb 13, 11:41 am, Dewald Pretorius  wrote:
> Mmmm it looks as if you're sc...

Re: [twitter-dev] Re: Looking for someone to help wiith oauth

[Ryan Alford]

You can ask technical questions here.

You had developers that gave up because of cookie handling? Uhhh...

Ryan

Sent from my DROID

On Feb 13, 2010 10:44 AM, "Merrows"  wrote:

Thanks for all the interesting comments. Actually I have found it hard
to locate the expertise.

I have some code samples already, but I really need someone or at
least a technical forum (similar to the kind of thing for Google
Products which allows QA type of messages) for twitter. Is there
anything like that for twitter or is this it?

I have already hired a few developers for this task, and they
implement Basic Auth, or they just give up as finding the code too
hard (mainly handling the callbacks and cookie handling seems the hard
part).

If anyone is interested the actual application it is a new site called
www.fullbe.com I am buillding which will allow users to comment on
products via their twitter names.


On Feb 11, 6:02 pm, alexro  wrote:
> Also check out LinqToTwitter, it includes...
> >http://twittervb.codeplex.com- Hide quoted text -
>
> - Show quoted text -

Re: [twitter-dev] Re: What's up with OAuth?

[Ryan Alford]

He specifically states the possibility for mobile apps to use xAuth.

Ryan

Sent from my DROID

On Feb 11, 2010 11:27 PM, "kehers"  wrote:

Talking xAuth, hope mobile apps count as 'applications except web
applications'

Re: [twitter-dev] Re: oAuth and more users?

[ryan alford]

The user doesn't actually "create" their OAuth tokens manually.  The tokens
are created automatically by Twitter and given to you through responses
after the user has given your application permission to their account.

Ryan

On Wed, Feb 10, 2010 at 8:27 AM, _Bensn  wrote:

> And where get the users there own keys to use the application with
> there own twitter account? (e.g tweet deck)
>
> On 9 Feb., 18:29, John Meyer  wrote:
> > On 2/9/2010 10:03 AM, ryan alford wrote:
> >
> > > So you are saying that the user of a third party application must
> > > register a completely new consumer key and consumer secret?
> >
> > Again, you have your terminology wrong.  They get a completely new set
> > of oAuth tokens.  Same as the fact that every user of twitter has to
> > register his or her own Twitter username/password
> >
> > > So when TweetDeck goes to OAuth, every user will create their own
> > > consumer key and consumer secret, therefore, having 10s of thousands of
> > > "TweetDeck" applications registered?
> >
> > No.  One TweetDeck application is registered.  Those users have just
> > authorized TweetDeck to access their application.
>

Re: [twitter-dev] Looking for someone to help wiith oauth

[ryan alford]

I have implemented OAuth into my own WPFapplication.(written in C#)

You can view my library at CodePlex.

http://twiteclipseapi.codeplex.com/

Ryan

On Wed, Feb 10, 2010 at 9:48 AM, Merrows  wrote:

> I am seeking someone skilled in .NET 3.5, C# to help with implementing
> twitter oauth, and I would welcome any suggestions of how to find
> someone.
>

Re: [twitter-dev] Re: oAuth and more users?

[ryan alford]

So you are saying that the user of a third party application must register a
completely new consumer key and consumer secret?

So when TweetDeck goes to OAuth, every user will create their own consumer
key and consumer secret, therefore, having 10s of thousands of "TweetDeck"
applications registered?

I am talking about the user going to the site where you have to give it a
name, tell twitter whether its a desktop or web application, and fill in the
other information?  Is that what every user is going to have to do?

Sent from my DROID

On Feb 9, 2010 11:53 AM, "John Meyer"  wrote:

On 2/9/2010 8:09 AM, _Bensn wrote:
>
> @ John Meyer - thanks for editing my post with the url.
> Is ...
Yeah.  It might be construed as more effort than a basic authentication, but
I don't believe it is that onerous.  The big issue is the web interface and
how it "breaks" the look of the application.

Re: [twitter-dev] Re: oAuth and more users?

[ryan alford]

Yes it does seem backwards.  I made my statement because the link he gave
was for application consumer keys, not the OAuth tokens.

Ryan

Sent from my DROID

On Feb 9, 2010 11:27 AM, "John Meyer"  wrote:

On 2/9/2010 9:20 AM, ryan alford wrote:

> >
> > Your users should not be required to get their own consumer key and
> > consumer secret.
> >
> > Ryan
> ...
>
>> >> On Feb 9, 2010 10:04 AM, "_Bensn" >
>> >> <mailto:benjaminroh...@t-online.de>> wrote:
>> >>
>> >> Where can they create there own keys? here - ht...
>>
>

They "create" their own (oAuth) keys for that app by authorizing it through
twitter.  And while we're on this point, whose idea was it to name the keys
that the applications have _Consumer_ keys while the consumers have oAuth
Tokens?  Seems totally counter-intuitive to me.

Re: [twitter-dev] Re: oAuth and more users?

[ryan alford]

Your users should not be required to get their own consumer key and consumer
secret.

Ryan

Sent from my DROID

On Feb 9, 2010 10:04 AM, "_Bensn"  wrote:

Where can they create there own keys? here - https://twitter.com/apps/new

?

On 8 Feb., 18:55, John Meyer  wrote:

> On 2/8/2010 7:25 AM, _Bensn wrote:
>
> > Hi there,
>
> > is it possible to develope a twitter appl...

Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works

[ryan alford]

I just posted this status using my library with OAuth and it worked fine..


Testing my Twitter OAuth library with some special characters
!?:"*&^%...@!~`=+-_


Ryan

On Thu, Feb 4, 2010 at 6:19 AM, Bhavani Sankar Sikakolli  wrote:

> Yes, it fails everytime. I have checked to see that I am configuring
> everything the right way.
>
>
> On Thu, Feb 4, 2010 at 4:43 PM, ryan alford wrote:
>
>> Does it fail everytime?  I will test mine when I get to work in about an
>> hour.
>>
>> Ryan
>>
>> Sent from my DROID
>>
>> On Feb 4, 2010 12:23 AM, "Duane Roelands" 
>> wrote:
>>
>> And please forgive my obnoxious tone; I'm tired and frustrated. :)
>>
>>
>> On Feb 4, 12:05 am, Duane Roelands  wrote:
>> > Ryan:
>> >
>> > If posting "Hello ...
>>
>>
>

Re: [twitter-dev] .NET and oAuth update problems

[ryan alford]

I just did a test with this status...

Testing my Twitter OAuth library with some special characters
!?:"*&^%...@!~`=+-_

and it went through without any errors and posted the correct status.

Ryan

On Wed, Feb 3, 2010 at 8:02 PM, ryan alford  wrote:

> I don't know which version(if there are multiple versions).  I downloaded
> it in October I believe.
>
> Ryan
>
> Sent from my DROID
>
> On Feb 3, 2010 7:59 PM, "Andrew Badera"  wrote:
>
> From Shannon's original stuff, or something more recent? I'd worked
> with OAuthBase.cs in the past, but seemed to recall there were
> explicit exceptions in that ver of that stuff ... maybe a year ago
> now?
>
> --ab
>
>
>
> On Wed, Feb 3, 2010 at 7:57 PM, ryan alford 
> wrote:
> > I don't want to tak...
>
>

Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works

[ryan alford]

Does it fail everytime?  I will test mine when I get to work in about an
hour.

Ryan

Sent from my DROID

On Feb 4, 2010 12:23 AM, "Duane Roelands"  wrote:

And please forgive my obnoxious tone; I'm tired and frustrated. :)


On Feb 4, 12:05 am, Duane Roelands  wrote:
> Ryan:
>
> If posting "Hello ...

Re: [twitter-dev] .NET and oAuth update problems

[ryan alford]

I don't know which version(if there are multiple versions).  I downloaded it
in October I believe.

Ryan

Sent from my DROID

On Feb 3, 2010 7:59 PM, "Andrew Badera"  wrote:

>From Shannon's original stuff, or something more recent? I'd worked
with OAuthBase.cs in the past, but seemed to recall there were
explicit exceptions in that ver of that stuff ... maybe a year ago
now?

--ab



On Wed, Feb 3, 2010 at 7:57 PM, ryan alford  wrote:
> I don't want to tak...

Re: [twitter-dev] .NET and oAuth update problems

[ryan alford]

I don't want to take credit for it as it is from Shannon Whitley's OAuth
library.

Ryan

Sent from my DROID

On Feb 3, 2010 7:53 PM, "Andrew Badera"  wrote:

Interesting, for some reason I thought there were a few explicit
exceptions that had to be made, but your solution looks pretty
elegant.

--ab




On Wed, Feb 3, 2010 at 7:48 PM, ryan alford  wrote:
> I have it working ...

Re: [twitter-dev] .NET and oAuth update problems

[ryan alford]

I have it working and have had it working for months.  My code is
open-source and written in C#.

http://twiteclipseapi.codeplex.com/

I haven't tried every special character, though I haven't run across a
character that didn't work.

Ryan

Sent from my DROID

On Feb 3, 2010 6:53 PM, "Andrew Badera"  wrote:

Are you following the proper URL encoding? Basic .NET URLEncode
doesn't meet OAuth's encoding spec. I forget what it is offhand, but
they aren't 100% equivalent.

∞ Andy Badera
∞ +1 518-641-1280 Google Voice
∞ This email is: [ ] bloggable [x] ask first [ ] private
∞ Google me: http://www.google.com/search?q=andrew%20badera




On Wed, Feb 3, 2010 at 6:50 PM, John Meyer  wrote:
> has anybody on a .NE...

Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works

[ryan alford]

Remember that the status update is different from most of the other
requests, because it adds the "status" parameter that is not in the other
requests. This means that it needs to be part of the query string and also
the signature.  Leaving this out could cause an issue.

Ryan

Sent from my DROID

On Feb 2, 2010 10:03 PM, "ohauske"  wrote:

Hi Ryan,

I tried getting the home timeline and a couple of other methods and
everything works, everything except the update status

here's my request:

http://twitter.com/statuses/update.xml?oauth_consumer_key=**&oauth_nonce=d985f559241ea3ba0fc9d6ae842e87a3&oauth_signature=hgWo0cdbttaQnUEEWkFU1USCjMc%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1265164536&oauth_token=***oauth_version=1.0&status=%5C%27hello%5C%27


I'm using this library

http://code.google.com/p/oauth/

On Jan 29, 6:10 am, ryan alford  wrote:
> Try getting the home timeline and...

> On Jan 28, 2010 11:14 PM, "arian cabezas"  wrote:
>
> Hi Ryan.
> I´m havi...

Re: [twitter-dev] Mobile java client - happy with OAuth as it is

[ryan alford]

Another problem with this approach is that you are now required to have a
server.  So now a developer would have the added expense of paying for a
server.  Now if the developer already had a server, then it's a moot point,
but not all developers have their own hosted servers.

What happens when your server goes down, or your hosting provider has
connectivity problems?  Your app is now dead, even though Twitter is still
functioning normally.

Ryan

On Tue, Feb 2, 2010 at 7:08 AM, Anton Krasovsky
wrote:

> With all that talk about OAuth, I thought I might share my experience
> using it in for a mobile (j2me) twitter client.
>
> I guess my approach is nothing new, and probably is not applicable to
> iPhone apps because of the appstore distribution process, but anyways.
>
> So the way I handle OAuth is as follows:
>
> All application downloads are handled by my own server. Before
> allowing user to download the app I initiate OAuth authorization with
> Twitter and then, save user tokens along with generated unique id for
> a user.
>
> Once authorized, user is permitted to download the application which
> is tagged with that unique user id I generated earlier.
>
> Once user starts the app, it uses it's id to authenticate itself to my
> server.
>
> All communicatin between Twitter and user's appication is
> handled/proxied by the server that performs all necessary oauth
> signing on behalf of the user.
>
> So, this way I have all benefits of using OAuth in a mobile app.
>
> The only drawback really, is that user must visit my web site at least
> once to perform authorization.
>
> Regards,
> Anton
> http://pavo.me
>

Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works

[ryan alford]

Try getting the home timeline and see if you get the incorrect signature
message.

Ryan

Sent from my DROID

On Jan 28, 2010 11:14 PM, "arian cabezas"  wrote:

Hi Ryan.
I´m having the same problem with the statuses/update using the php
library provided by Twitter, name as : Twitter-async, as said eco_bach
i verified my signatures and i receive information back on verify
credentials (and no 'incorrect signature' error), it´s really rare
what it´s happening couse some times it works and some times apeear
when a do a ¨$connection->post('statuses/update', array('status' =>
$statusStr))¨ the misterious message ¨incorrect signatures¨ as
response. I dont know what to do, becouse i´m following all the stuffs
that are described on the Twitter-async API. It began to happen the
last Tuesday 26th.
My regards.
Arian

On 27 ene, 00:30, ryan alford  wrote: > It is still
a POST, you just don't...

> On Jan 26, 2010 4:32 PM, "eco_bach"  wrote: > > Hi Ryan
> Changed to 'GET' and i...

Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works

[ryan alford]

It is still a POST, you just don't write the post data to the request.  That
post data is now in the query string where Twitter is expecting it.

Ryan

Sent from my DROID

On Jan 26, 2010 4:32 PM, "eco_bach"  wrote:

Hi Ryan
Changed to 'GET' and it seems I still get the Incorrect signature.
error

And the second time I try to update status, I also get 'This method
requires a POST.' error.

Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works

[ryan alford]

The hash algorithm can product both upper and lower case letters..

Ryan

On Tue, Jan 26, 2010 at 1:53 PM, eco_bach  wrote:

> Also noticed, minor thing, but your signature ends in '%253d'
>
> Mine in uppercase '%253D'
>

Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works

[ryan alford]

Yes, you could assume your signature creation is correct for most API calls.
 However, as you see with the update status API call, it has the extra
parameter that is the status.

Ryan

On Tue, Jan 26, 2010 at 1:46 PM, ryan alford wrote:

> Don't do the POST request data.  You do that for Basic Auth, but not for
> OAuth.
>
> Ryan
>
>
> On Tue, Jan 26, 2010 at 1:44 PM, eco_bach  wrote:
>
>> Ryan
>> Since its a POST its part of my request.data.
>>
>> Didn't think I also needed as part of my query string but will try.
>>
>>
>> Do you know if there is an official Twitter Oauth test page  like
>>
>> http://developer.netflix.com/resources/OAuthTest
>> or Google's?
>> http://oauth.googlecode.com/svn/code/javascript/example/signature.html
>>
>> Tried both and getting a different signature value, so my next
>> question is
>> If I receive information back on verify credentials (and no 'incorrect
>> signature' error), am I safe to assume my signature generation is
>> corect?
>>
>
>

Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works

[ryan alford]

Don't do the POST request data.  You do that for Basic Auth, but not for
OAuth.

Ryan

On Tue, Jan 26, 2010 at 1:44 PM, eco_bach  wrote:

> Ryan
> Since its a POST its part of my request.data.
>
> Didn't think I also needed as part of my query string but will try.
>
>
> Do you know if there is an official Twitter Oauth test page  like
>
> http://developer.netflix.com/resources/OAuthTest
> or Google's?
> http://oauth.googlecode.com/svn/code/javascript/example/signature.html
>
> Tried both and getting a different signature value, so my next
> question is
> If I receive information back on verify credentials (and no 'incorrect
> signature' error), am I safe to assume my signature generation is
> corect?
>

Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works

[ryan alford]

I still don't see your status in the query string of the URL.  I see it in
string for the signature, but in your actual URL, it's not there.

This is my entire URL when posting a status update:

http://twitter.com/statuses/update.xml?oauth_consumer_key=**&oauth_nonce=57a0d0d1-89e9-4f73-ac3d-f2f26bb2a56d&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1264530600&oauth_token=36116361-8YRR4w9rRwz7HOc0nYTMmNWjCDrQdFYtnPwsiP7jm&oauth_version=1.0&status=really%20ready%20for%20the%20game%20tonight&oauth_signature=EGq5udax8bM5yuoZhJC0cIbM8uA%3d

notice how my "status" is a query string parameter also.  I don't see that
in yours.

Ryan

On Tue, Jan 26, 2010 at 12:50 PM, eco_bach  wrote:

> Ryan
> Still 'Incorrect signature'
> Here's my BASE signature query string BEFORE % encoding (NOTE all
> SORTED and asterisks for my consumer key!)
>
>
> oauth_consumer_key=&oauth_nonce=16EAFA36-2A91-32A5-4A5C-6BB80EF9B45B&oauth_signature_method=HMAC-
> SHA1&oauth_timestamp=1264527609&oauth_token=9353572-
> G8h52Icbe0cjWIMl59fepUofRxoHzHznhzEwo9oqI&status=having some fun
> getting OAuth and the Twitter api working
>
>
> This is my final request URL, the %253D at the end of my signature
> looks suspect, doubly encoded? But pretty sure worked with verify
> credentials
>
> request.url==http://www.bitstream.ca/twitter/proxy.php?path=http%3A%2F
> %2Ftwitter.com%2Fstatuses%2Fupdate.json%3Foauth_consumer_key
> %3D%26oauth_nonce
> %3D16EAFA36-2A91-32A5-4A5C-6BB80EF9B45B%26oauth_signature_method
> %3DHMAC-SHA1%26oauth_timestamp%3D1264527609%26oauth_token%3D9353572-
> G8h52Icbe0cjWIMl59fepUofRxoHzHznhzEwo9oqI%26oauth_signature
> %3D5QuhEDae4gZHAxel8JVwLwkQ5J4%253D
>

Re: [twitter-dev] Re: 'Incorrect signature' on status update with OAuth when verify credentials works

[ryan alford]

You need to have the parameter name and value.

Ryan

Sent from my DROID

On Jan 25, 2010 11:47 PM, "eco_bach"  wrote:

Thanks Ryan
I'll have to look into signature creation more closely.
Essentially, if I understand correctly, I am most likely missing the
"status" parameter BEFORE creating the signature.
Would I need to include the status value as well, or is only the
parameter name necessary to create the signature?

Re: [twitter-dev] 'Incorrect signature' on status update with OAuth when verify credentials works

[ryan alford]

I am just wondering why you can't keep all of your questions in the same
thread?  If somebody was having the same issues as you, they would have to
look through 10+ of your threads.

To try to answer the question, are you including the "status" parameter as
part of the query string, which in turn, will be part of the signature?

Ryan

On Mon, Jan 25, 2010 at 10:17 PM, eco_bach  wrote:

> Almost there...
> Already googled this error and changed my request from http to https.
>
> Still getting same error...
>
> Any suggestions?
>

Re: [twitter-dev] Re: Can new twitter account be created from API?

[ryan alford]

If Twitter allowed the API to create new accounts, what's to say that
somebody won't create a script to create millions of new accounts?

Ryan

On Mon, Jan 25, 2010 at 11:22 AM, Cameron Kaiser wrote:

> > Or is the reason this is not implemented anywhere is because this sort
> > of thing is not allowed by Twitter?
>
> Correct.
>
> --
>  personal:
> http://www.cameronkaiser.com/ --
>   Cameron Kaiser * Floodgap Systems * www.floodgap.com *
> ckai...@floodgap.com
> -- When life gives you lemons, make it into a blog and get comments. --
> Locke -
>

Re: [twitter-dev] Not able to read unicode from Twitter Response XML in C#.net

[ryan alford]

Can you paste an example of the bad characters as .Net shows them, and what
they should really be?

Ryan

On Mon, Jan 25, 2010 at 5:36 AM, Rejeev  wrote:

> Hi all,
>
> My Twitter response XML contains some unicode characters , I am not
> able to read that in C#.net. Its showing junk characters. Please help
> me to read that in proper text.
>
> Thanks,
> Rejeev
>

Re: [twitter-dev] Re: getting more information than 'Could not authenticate...'

[ryan alford]

Are you putting the "status" parameter in the query string?  If not, you
should be, or atleast, that's what I had to do to get it to work.

Ryan

On Mon, Jan 25, 2010 at 8:22 AM, eco_bach  wrote:

> Hi Michael
> Good point. Actionscript 3.
> Chices are Twitterscript and Tweetr.
>
> As far as I know, Twitterscript has no example using OAuth.
>
> And Tweetr has no example of working with browser based web
> authentication WITHOUT also requiring the PIN handshake.
>
> If you think I am wrong in NOT choosing either of the above, would
> appreciate your rationale.
>
> After some research, decided to use as a base what Sonke Rohde has
> done
> http://soenkerohde.com/2010/01/twitter-as3-oauth-lib-with-flex-4-example/
>
> Sonke's example is Flex4 and for an AIR application, so I've modified
> it quite a bit to work for an Actionscript only web application.
> Sonke in turn is using code this open source project to create
> requests, generate signatures
> http://code.google.com/p/oauth-as3/
>
> The fact that I've gotten OAuth to work up to the point of verify
> credentials working would seem to indcate that I am at least on the
> right path.
> And I've learned a heck of a lot as well;)
> Perhaps what I'm trying to do isn't possible (ie creating browser
> based web OAuth authentication WITHOUT also requiring the PIN
> handshake)
> but I'm determined to find out if this is the case.
>
>
>

Re: [twitter-dev] Rate limits

[ryan alford]

If I am not mistaken, the reset time in seconds is the number of seconds
from 1/1/1970.

Ryan

Sent from my DROID

On Jan 24, 2010 8:42 PM, "EastSideDev"  wrote:

When I get the rate_limit_status.xml, this is what I get:
Array
(
   [hash] => Array
   (
   [hourly-limit] => Array
   (
   [content] => 2
   [attributes] => Array
   (
   [type] => integer
   )
   )
   [reset-time-in-seconds] => Array
   (
   [content] => 1264386634
   [attributes] => Array
   (
   [type] => integer
   )
   )
   [reset-time] => Array
   (
   [content] => 2010-01-25T02:30:34+00:00
   [attributes] => Array
   (
   [type] => datetime
   )
   )
   [remaining-hits] => Array
   (
   [content] => 2
   [attributes] => Array
   (
   [type] => integer
   )
   )
   )
)


The value for [reset-time-in-seconds] cannot be right. The reset time
seems right, but I would rather work with an integer value. What am I
doing wrong? Is this a Twitter API bug?

Re: [twitter-dev] Re: sqllite command for writing to local DB

[ryan alford]

Not java though.  Thought this was the Android email list

Sent from my DROID

On Jan 24, 2010 7:41 PM, "Kidd"  wrote:

Bump!!?

On Jan 17, 3:38 pm, Kidd  wrote: > Hello all, > > I'm
trying to capture data from...

Re: [twitter-dev] Re: sqllite command for writing to local DB

[ryan alford]

Searching Google for "writing data to sqlite java" would help you out.

Sent from my DROID

On Jan 24, 2010 7:41 PM, "Kidd"  wrote:

Bump!!?

On Jan 17, 3:38 pm, Kidd  wrote: > Hello all, > > I'm
trying to capture data from...

Re: [twitter-dev] Confused about OAuth 1.0 vs 1.0a and Twitter API docs

[ryan alford]

most likely, Twitter has other things to do and updating the API
documentation isn't very high on the list.

Ryan

On Fri, Jan 22, 2010 at 4:40 PM, Marc Hedlund wrote:

> Yup, I know, that's what I'm asking. Why not link to and tell people to use
> 1.0a (or the IETF draft) rather than 1.0?
>
> For the record I checked all the other code examples and none of them
> support oauth_verifier (some do send oauth_callback with the first request),
> unless I'm missing something.  http://github.com/moomerman/twitter_oauthis 
> the only one that's up to date.
>
> -M
>
> On Jan 22, 2010, at 1:18 PM, ryan alford wrote:
>
> > If you look at the very top of the 1.0 spec, you will see a yellow box...
> >
> > "This specification was obsoleted by OAuth Core 1.0 Revision A on June
> 24th, 2009 to address a session fixation attack. The OAuth Core 1.0 Revision
> A specification is being obsoleted by the proposed IETF draft
> draft-hammer-oauth. The draft is currently pending IESG approval before
> publication as an RFC.
> >
> > Implementers should use draft-hammer-oauth instead of this
> specification."
> >
> >
> > Here is the link to the 1.0a spec.
> > http://oauth.net/core/1.0a/
> >
> > Ryan
> >
> > On Fri, Jan 22, 2010 at 10:29 AM, Marc Hedlund 
> wrote:
> > I'm confused about the OAuth docs linked to from
> http://apiwiki.twitter.com/
> > -- especially these:
> >
> >
> http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-oauth-request_token
> > http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-oauth-access_token
> >
> > Both of these link to the OAuth 1.0 spec for a list of required
> > parameters.  Shouldn't they link to the 1.0a spec instead?
> >
> > I came to the docs remembering the news story from last April about
> > OAuth and session fixation vulnerabilities:
> >
> > http://oauth.net/advisories/2009-1/
> >
> http://hueniverse.com/2009/04/explaining-the-oauth-session-fixation-attack/
> >
> http://www.readwriteweb.com/archives/how_the_oauth_security_battle_was_won_open_web_sty.php
> >
> > And how it affected Twitter:
> >
> > http://blog.twitter.com/2009/04/whats-deal-with-oauth.html
> > http://news.cnet.com/8301-13577_3-10225103-36.html
> >
> > But if you look at the API docs today, it's like none of this
> > happened.  I can't find 1.0a documented anywhere, and all but one of
> > the code examples the docs link to continue to use the 1.0 token flow
> > (only http://github.com/moomerman/twitter_oauth appears to get it
> > right of the ones I checked --
> http://github.com/henriklied/django-twitter-oauth
> > and http://github.com/tav/tweetapp don't, for instance).
> > http://apiwiki.twitter.com/OAuth+Example+-+Ruby isn't publicly
> > visible.  Session fixation isn't mentioned on the "Security Best
> > Practices" page (http://apiwiki.twitter.com/Security-Best-Practices).
> > 1.0 vs 1.0a isn't in the OAuth FAQ (http://apiwiki.twitter.com/OAuth-
> > FAQ) or the main FAQ.
> >
> > (I do see
> http://groups.google.com/group/twitter-development-talk/browse_thread/thread/472500cfe9e7cdb9
> > and of course all the discussion of OAuth and the PIN problems for
> > mobile apps.)
> >
> > Shouldn't the documentation point people towards the current spec, and
> > show examples that implement it?  Or is there some reason people are
> > being pointed to 1.0?
> >
> > I'm asking because Tornado (http://www.tornadoweb.org/) provides a
> > Twitter OAuth mixin in its auth module (http://github.com/facebook/
> > tornado/blob/master/tornado/auth.py) which uses the 1.0 token flow (as
> > do all of the OAuth mixins in Tornado).  Google OAuth implements 1.0a,
> > and shows the user a security warning if the 1.0 flow is used, but
> > Tornado makes this hard to implement using their auth module.  I'm
> > working on a patch to send them and want to know whether the Twitter
> > OAuth mixin should be upgraded for 1.0a or if there's some reason it
> > shouldn't.
> >
> > Thanks.  (I'll stay on this list long enough to hear the discussion
> > but will probably bail out after that, since it's a high-volume list
> > and my interest is just in making the patch right.)
> >
> > -Marc
> >
>
>

Re: [twitter-dev] Confused about OAuth 1.0 vs 1.0a and Twitter API docs

[ryan alford]

If you look at the very top of the 1.0 spec, you will see a yellow box...

"This specification was obsoleted by OAuth Core 1.0 Revision
A on
June 24th, 2009 to address a session fixation
attack.
The OAuth Core 1.0 Revision A specification is being obsoleted by the
proposed IETF draft
draft-hammer-oauth.
The draft is currently pending IESG approval before publication as an RFC.

*Implementers should use
draft-hammer-oauth
instead
of this specification*."


Here is the link to the 1.0a spec.
http://oauth.net/core/1.0a/

Ryan

On Fri, Jan 22, 2010 at 10:29 AM, Marc Hedlund wrote:

> I'm confused about the OAuth docs linked to from
> http://apiwiki.twitter.com/
> -- especially these:
>
> http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-oauth-request_token
> http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-oauth-access_token
>
> Both of these link to the OAuth 1.0 spec for a list of required
> parameters.  Shouldn't they link to the 1.0a spec instead?
>
> I came to the docs remembering the news story from last April about
> OAuth and session fixation vulnerabilities:
>
> http://oauth.net/advisories/2009-1/
> http://hueniverse.com/2009/04/explaining-the-oauth-session-fixation-attack/
>
> http://www.readwriteweb.com/archives/how_the_oauth_security_battle_was_won_open_web_sty.php
>
> And how it affected Twitter:
>
> http://blog.twitter.com/2009/04/whats-deal-with-oauth.html
> http://news.cnet.com/8301-13577_3-10225103-36.html
>
> But if you look at the API docs today, it's like none of this
> happened.  I can't find 1.0a documented anywhere, and all but one of
> the code examples the docs link to continue to use the 1.0 token flow
> (only http://github.com/moomerman/twitter_oauth appears to get it
> right of the ones I checked --
> http://github.com/henriklied/django-twitter-oauth
> and http://github.com/tav/tweetapp don't, for instance).
> http://apiwiki.twitter.com/OAuth+Example+-+Ruby isn't publicly
> visible.  Session fixation isn't mentioned on the "Security Best
> Practices" page (http://apiwiki.twitter.com/Security-Best-Practices).
> 1.0 vs 1.0a isn't in the OAuth FAQ (http://apiwiki.twitter.com/OAuth-
> FAQ) or the main FAQ.
>
> (I do see
> http://groups.google.com/group/twitter-development-talk/browse_thread/thread/472500cfe9e7cdb9
> and of course all the discussion of OAuth and the PIN problems for
> mobile apps.)
>
> Shouldn't the documentation point people towards the current spec, and
> show examples that implement it?  Or is there some reason people are
> being pointed to 1.0?
>
> I'm asking because Tornado (http://www.tornadoweb.org/) provides a
> Twitter OAuth mixin in its auth module (http://github.com/facebook/
> tornado/blob/master/tornado/auth.py) which uses the 1.0 token flow (as
> do all of the OAuth mixins in Tornado).  Google OAuth implements 1.0a,
> and shows the user a security warning if the 1.0 flow is used, but
> Tornado makes this hard to implement using their auth module.  I'm
> working on a patch to send them and want to know whether the Twitter
> OAuth mixin should be upgraded for 1.0a or if there's some reason it
> shouldn't.
>
> Thanks.  (I'll stay on this list long enough to hear the discussion
> but will probably bail out after that, since it's a high-volume list
> and my interest is just in making the patch right.)
>
> -Marc
>

Re: [twitter-dev] Verify credentials and verified =false

[ryan alford]

I don't think the "verified" means what you are assuming it means.

If you make a call to "verifiy_credentials", you will get a 401 error and an
error message if the credentials are invalid.  If you receive any user data,
then it is a success.

Straight from the API documentation
http://apiwiki.twitter.com/Twitter-REST-API-Method:-account
verify_credentials

"Returns an HTTP 200 OK response code and a representation of the requesting
user if authentication was successful; returns a 401 status code and an
error message if not.  Use this method to test if supplied user credentials
are valid."

Ryan

On Fri, Jan 22, 2010 at 3:45 PM, eco_bach  wrote:

> Trying to troubleshoot Oauth sign in. I get an access token returned,
> and when I request to verify credentials, I DO get all the correct
> info EXCEPT verified =false;
>
> Can anyone tell me the possible sources for this message? Invalid
> signature, or?
>

Re: [twitter-dev] Better understanding of 'signature'

[ryan alford]

That is one of your problems. The signature needs to be created for each
request.

Here is how I do it in C#.  I know it's not the language you are using, but
hopefully it will help on how to create the signature.  Then you can use
similar libraries in Flash(if there are similar libraries) to make your
signature.

http://codepaste.net/mhqqg3

Ryan

On Fri, Jan 22, 2010 at 2:11 PM, eco_bach  wrote:

> Hi
> My OAuth sign In process is failing to verify my signature, so I
> thought I should at least ensure I understand the meaning of the term.
>
> Every time my web application launches, it generates a unique
> signature, which doesn't change for the current session.
> ie, if I quit the application, then restart, a new signature is
> generated.
>
> This signature should be appended to the end of
> my initial request token request
> my access token request
> my verify credentials request
> and my status update requests.
>
> Am I correct in the above?
>

Re: [twitter-dev] Re: Not getting correct access token when using OAuth for sign in

[ryan alford]

The plus sign (+) in your signature should be encoded.  You should URL
encode the signature just as you do the other parameters.

Ryan

On Thu, Jan 21, 2010 at 2:25 PM, eco_bach  wrote:

> Hmm still not working, signature at the end.
>
> I believe I get an Httpstatus of '0' immediately after calling
> twitter.com/oauth/access_token
>
> Also, pretty sure that my oauth_token received is different than my
> original request token, AND I do ge the correct screen name returned,
> which led me to believe that it was the correct 'access token'.
>
>
> http://twitter.com/oauth/access_token?oauth_consumer_key=QGs6W7DlEx9Q3Ay4DzI0Wg&oauth_nonce=E65BD866-C285-C8CE-7BA3-524FB8D8D0C0&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1264101341&oauth_token=OcVawxazvOQWYrDSonFdFRjskqaOOriClf6ULsPM&oauth_signature=7kpl8+MxM6BtOZecDc1Y65qo0zo=
>

Re: [twitter-dev] Need Help on posting Message

[ryan alford]

You need to add this

messageRequest.ServicePoint.Expect100Continue = false;

so your code should look like this...

http://codepaste.net/ababkc

Ryan

On Wed, Jan 20, 2010 at 10:22 AM, Atul  wrote:

> Hello Frenz,
>
> I'm building an application in C#.Net 3.5. My Requirement is to post
> message to twitter user, defined by me in text box, on button click
> i'm passing my credentials and user name with message but i' m getting
> following error:-
>
> "the remote server returned an error 403 forbidden"
>
> My Code is Below:-
>
>  try
>   {
>   HttpWebRequest messageRequest = (HttpWebRequest)
> WebRequest.Create("http://twitter.com/direct_messages/new.xml?user="; +
> sendTo + "&text=" + message);
>   messageRequest.Method = "POST";
>   messageRequest.Credentials = new NetworkCredential
> (username, password);
>   messageRequest.ContentLength = 0;
>   messageRequest.ContentType = "application/x-www-form-
> urlencoded";
>   WebResponse response = messageRequest.GetResponse();
>   }
>   catch(Exception ex)
>   {
>   MessageBox.Show(ex.Message);
>   }
>
> any Help is Appreciated,
>

Re: [twitter-dev] please help - sporadic '403 Forbidden:' error message when using OAuth Sign-In process

[ryan alford]

Isn't this the same problem that you posted about yesterday?

http://groups.google.com/group/twitter-development-talk/browse_thread/thread/90cb64e3706e1337#

Why
create a new post?

Ryan

On Wed, Jan 20, 2010 at 10:29 AM, eco_bach  wrote:

> Building an actionscript Twitter client and using OAuth for the sign
> in process.
>
> Having an extrememely frustrating issue with a sporadic error message.
> '403 Forbidden: The server understood the request, but is refusing to
> fulfill it.'
>
> I'm using, of necessity, a php proxy to get to the Twitter oauth
> authenticate page at
> twitter.com/oauth/authenticate/
>
> I get here no problem so I'm assuming there's nothing wrong with my
> proxy script.
>
> However, immediately AFTER clicking 'Sign In' I sometimes get the
> error message.
>
> Also, when I am getting the message, I can even leave the username and
> password fields blank and click 'Sign In'. I still get the error
> message, instead of a correct message indicating that the username-
> password fields are missing.
>
> Because this error only seems to happen sporadically, without me
> having changed anything in my code, it makes it difficult to
> troubleshoot properly.
>
> Anyone else experience this?
>

Re: [twitter-dev] Obtaining access token WITHOUT using a PIN

[ryan alford]

You DO NOT need the PIN for a browser app.  It is ONLY REQUIRED for desktop
apps.

1.  oauth_consumer_key = Consumer key given to you by Twitter
2.  oauth_token = The token
3.  oauth_signature_method = "HMAC-SHA1"
4.  oauth_signature = computed HMAC-SHA1 hash value of the other parameters
5.  oauth_timestamp = the number of seconds since Jan 1 1970
6.  oauth_nonce = a unique value.  I would suggest using a GUID.

For the signature, here is an example of what needs to be hashed:  this is a
GET request to "rate_limit_status"

GET&http%3A%2F%2Ftwitter.com%2Faccount%2Frate_limit_status.xml&oauth_consumer_key%3DYourConsumerKey%26oauth_nonce%3D0f419e62-8680-468f-a647-0532706af529%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D126354%26oauth_token%3D36116361-8YRR4w9rRwz7HOc0nYTMmNWjCDrQdFYtnPwsiP7jm%26oauth_version%3D1.0

You would take this value and hash it.  The KEY to the hash would be
"yourConsumerSecret&tokenSecret", and "tokenSecret" is allowed to be blank
for the cases where you don't have the secret.

Even though the documentation says the "oauth_version" is optional, I
include it anyway.

Ryan

On Wed, Jan 20, 2010 at 9:59 AM, eco_bach  wrote:

> Hi
> According to the offcial OAuth spec, in order to obtain an access
> token, the consumer request MUST contain the following parameters
>
>1 oauth_consumer_key:The Consumer Key.
>2 oauth_token:The Request Token obtained previously.
>3 oauth_signature_method: The signature method the Consumer
> used to
> sign the request.
>4 oauth_signature: The signature as defined in Signing
> Requests
> (Signing Requests).
>5 oauth_timestamp: As defined in Nonce and Timestamp (Nonce
> and
> Timestamp).
>6 oauth_nonce: As defined in Nonce and Timestamp (Nonce and
> Timestamp).
>
> I'm developing a web application in Flash and hence, NOT using the
> extra pin handshake. (at least I've been told it wasn't necessary, my
> Application Type is defined as 'Browser').
>
> So far, I've been unsuccessful, 'verified'= false in my access token
> request handler.
> Can someone cofirm for me that I in fact don't need the PIN, and if
> so, do I need to explicitly define all six parametres above in my
> request?
> Thanks for any feedback!
>

Re: [twitter-dev] Beginner question : How to get the user ID after "authorize" OAuth step?

[ryan alford]

The "screen_name" is returned in the querystring along with the
"oauth_token" and the "oauth_token_secret" values.

Ryan

On Wed, Jan 20, 2010 at 6:26 AM, Pitt  wrote:

> Hi,
> I'm trying to implement a browser app and Im just blocking at the
> first step...
> After the user granted the access to his data (OAuth authorize step),
> I want to get the user's profile (users/show) but I don't know how to
> recover the user's id or screen_name...
> Sorry if I missed something in the API documentation but I really
> searched...
> ...And thank you in advance! :)
> Pitt
>

Re: [twitter-dev] "temporarily overloaded" 503 Service Unavailable

[ryan alford]

I don't think they user cares why Twitter is overloaded, so simply telling
them that its overloaded should be enough.

Ryan

Sent from my DROID

On Jan 20, 2010 7:13 AM, "eco_bach"  wrote:

Noticing quite a few ' "temporarily overloaded" 503 Service
Unavailable messages when trying to log in lately. I assume Twitter is
aware of and trying to correct this, but in the meantime, when
building applications, are there any guidelines or best practices to
follow when your application is presented with a 503 status?

SImple tell the user 'the service is unavailable, please try again
later'?
Or perhaps a more detailed message, explaining why the service is
unavailable?

Re: [twitter-dev] Re: Using OAuth keys in an open source application

[ryan alford]

Who said that was even an option?  I haven't seen one person who said that
requiring every user to create their own consumer keys to use with an
application was an option.  The only reason that is even in this discussion
is because somebody misinterpreted an answer and that's what they thought
was meant.  I have never seen one person from twitter even come close to
suggesting this as an option.

Raffi's answer in the third post was under the impression that the OP was
referring to releasing his consumer keys as part of his open source code for
others to download his CODE and use for their own applications.  This is
what Raffi was referring to when he said to use a configuration file to
store the consumer keys and have a README file for the "end user".  The "end
user" being the developer that downloaded the code.

Ryan

Sent from my DROID

On Jan 18, 2010 11:53 PM, "Marc Mims"  wrote:

* Abraham Williams <4bra...@gmail.com> [100118 20:10]:

> If rolling out a new update is a burdon on you and your user you are doing
> it wrong. http://code...
Rolling out a new version because someone compromised the consumer key
pair is a burden.  Are you prepared to roll out a new version every few
minutes?

   -Marc

Re: [twitter-dev] Using OAuth keys in an open source application

[ryan alford]

The consumer secret is not public.  The consumer key can be seen in the
query parameters, but the consumer secret is not a query parameter.  It
would have to be reverse engineered using the signature.

If twitter determines that a specific application is malware, I would only
hope that they would blacklist the app.

Ryan

Sent from my DROID

On Jan 18, 2010 10:45 PM, "Marc Mims"  wrote:

* Isaiah Carew  [100118 19:02]:

> If every person that uses an app accesses the API with their own personal
app credentials that wou...
Hopefully twitter suspends user accounts, not application access, when
malicious activity is detected.  Otherwise, all desktop apps, whether
closed or open source, are vulnerable.

It isn't difficult to extract the consumer key and secret from any
desktop application that ships with them and use them in malicious code.

Registering a consumer key/secret for every instance of a desktop
application seems like an unreasonable requirement to place on users.
So, I agree that isn't the solution.  I certainly want to see the user
count on my OAuth apps page for the desktop apps I release.  Per user
consumer keys not only prevent Twitter from application tracking, they
also prevent the application developer from tracking it as well.

Consider the consumer key and secret public for desktop apps.  They are.

   -Marc

Re: [twitter-dev] Re: Using OAuth keys in an open source application

[ryan alford]

What you say is true about all desktop applications that connect to an
internet resource using some form of authentication.  I don't see why
somebody would expect a Twitter client to be any different.

Ryan

Sent from my DROID

On Jan 18, 2010 10:16 PM, "M. Edward (Ed) Borasky"  wrote:

I'm trying to define a minimum viable product that I can *sell*.
Nothing I've seen in this thread so far has convinced me that a
desktop application accessing Twitter is viable, with or without
oAuth. "Without oAuth" isn't viable because it's deprecated by
Twitter, and "with oAuth" isn't viable because it's *easy* to
compromise. Sure, a server *can* be compromised, but it's a lot
harder. On a server, I can control the choice of the entire stack -
hardware, OS, application framework, DBMS, etc. I may not be able to
prevent a DOS attack, but I can keep that away from Twitter - I can't
control how users interact with Twitter using a compromised desktop
app.

There must be some other developers on this list - does *anybody* who
develops Twitter apps for a living want to chime in and tell me I'm
full of hot air here - that there *is* a way to develop and deploy a
viable secure desktop Twitter app?

> You guys are all freaking out about this when this is how the internet >
works. Just look at emai...
This is how the Internet works *now* - with 90 percent of the desktops
running Windows, many of those not up to date on Windows Updates or
virus scanner code and virus definitions, botnets controlling millions
of PCs, the government of China exploiting holes in IE 6, bloggers
calling openly for iPhone users to mount a DDOS against AT&T, GMail
peeking at the content of my emails to suggest commercial products
that I might happen to consider competitors, and Facebook selling your
private data to scammers and spammers. There may be a thousand and one
ways to get hurt on the Internet, but I'm not interested in deploying
the 1002nd.

That could all change with ChromeOS netbooks. I can dream. ;-)

-- M. Edward (Ed) Borasky http://borasky-research.net/smart-at-znmeb "A
mathematician is a device ...

Re: [twitter-dev] Using OAuth keys in an open source application

[ryan alford]

PHP as in web-based?  Why wouldn't the user just login to the website?

Ryan

Sent from my DROID

On Jan 18, 2010 10:03 PM, "Ryan McCue"  wrote:

John Meyer wrote: > > Technically, you don't.  All opensource requires is
that you distribute the so...
Right, so everyone would have to get their own API key? Sounds a bit counter
intuitive to me.

ryan alford wrote: > > You do not want to give out your Consumer Key or
Consumer Secret.  If someb...

ryan alford wrote: > > > There is a difference between giving your
application to others to install ...
The problem with that is that the application is written in PHP, so they
need the source to run it, hence, any normal users would need to have an API
key.

-- 
Ryan McCue
<http://ryanmccue.info/>

Re: [twitter-dev] Re: Using OAuth keys in an open source application

[ryan alford]

Also, the consumer secret is harder to get since its not sent as a
parameter.

Ryan

Sent from my DROID

On Jan 18, 2010 7:18 PM, "Abraham Williams" <4bra...@gmail.com> wrote:

It would be less work for me to run charles proxy and see catch the consumer
key/secret in transit then to decompile it and figure out where in the code
it is actually stored when distributed with the app.

Previously with basicauth you could use anybodies source param and spoof
their application. At least with OAuth you have to acquire their consumer
key/secret first.

You guys are all freaking out about this when this is how the internet
works. Just look at email. With a single line of PHP I can send any of you
an email from any email address.*

Abraham

*There technologies to stop this but very few mail servers use them.
Currently Gmail refuses email from paypal.com unless it is signed by their
key.

On Mon, Jan 18, 2010 at 15:35, M. Edward (Ed) Borasky 
wrote: > > > > On Jan 18,...
-- 
Abraham Williams | Moved to Seattle | May cause email delays
Project | Intersect | http://intersect.labs.poseurtech.com
Hacker | http://abrah.am | http://twitter.com/abraham
This email is: [ ] shareable [x] ask first [ ] private.

Re: [twitter-dev] Re: Using OAuth keys in an open source application

[ryan alford]

Why would you be required to have a server?  To keep your consumer key and
consumer secret out of your app?  It's not required.  Mine are stored in a
database that is coupled with my application.  The database is password
protected, so nobody is getting in.

Ryan

On Mon, Jan 18, 2010 at 4:27 PM, M. Edward (Ed) Borasky wrote:

> On Jan 18, 11:48 am, Dossy Shiobara  wrote:
> > Seriously, are we still beating this dead old horse?
> >
> > Closed or open source doesn't matter.  The fact that a consumer key and
> > secret (!) are redistributed = design FAILURE.
> >
> > It's trivial to recover the consumer key and secret from a closed source
> > application, which can in turn be used in a malicious application ...
> >
> > The consumer key and secret CANNOT be used as a form of application
> > authentication.  It's not trustworthy enough.  This is an inherent
> > design deficiency in OAuth.
>
> If that's the case, then *desktop* Twitter applications are not a
> viable business model. You *must* have a server, with the extra
> overhead that involves, and the extra cost that must be passed on to
> your customers, in order to protect yourself and Twitter from
> malicious users. Given the other limitations of the desktop
> application model, e.g., no production access to the Streaming API and
> no easy mobile deployment options, it's seriously looking like I am
> wasting my time developing desktop applications. Sigh ... off to do
> some more research ...
>
> --
> M. Edward (Ed) Borasky
> http://borasky-research.net/smart-at-znmeb
>
> "A mathematician is a device for turning coffee into theorems." ~ Paul
> Erdős
>

Re: [twitter-dev] Re: Using OAuth keys in an open source application

[ryan alford]

"Just the consumer key, or both the consumer key and consumer secret?"

both are needed when doing OAuth.

Ryan


On Mon, Jan 18, 2010 at 2:52 PM, M. Edward (Ed) Borasky wrote:

> On Jan 18, 11:32 am, John Meyer  wrote:
> > On 1/18/2010 12:22 PM, ryan alford wrote:
> >
> > > There is a difference between giving your application to others to
> > > install and use, and others downloading your code for their own
> > > applications.
> >
> > > If a user is installing your application to use, then your code would
> > > include your consumer key.
>
> Just the consumer key, or both the consumer key and consumer secret?
>
> >
> > > If a user is downloading your open source code to use for their own
> app,
> > > then they need to get their own consumer key to relate to their app.
> >
> > > Ryan
> >
> > An addendum.
> >
> > If you were seriously concerned about others grabbing those codes you
> > could specify that the app fetches those keys from an ftp server or some
> > sort of web service that you ran.  But I would guess that this would be
> > a bit more paranoid than what you are trying to prevent.
>
> The "paranoia" is directly from Twitter's "Security Best Practices"
> http://apiwiki.twitter.com/Security-Best-Practices:
>
> "Don't store passwords. Just store OAuth tokens. Please."
>
> "As aforementioned, for optimal security you should be using OAuth.
> But once you have a token with which to make requests on behalf of a
> user, where do you put it? Ideally, in an encrypted store managed by
> your operating system. On Mac OS X, this would be the Keychain. In the
> GNOME desktop environment, there's the Keyring. In the KDE desktop
> environment, there's KWallet."
>
> As an aside, 90% of the desktops/laptops out there run Windows. I'd
> hope that the Security Best Practices document would include a little
> more on dealing with Windows desktops than a link to the MSDN Security
> Developer Center. ;-)
>
> I think the FTP server idea is a good one - it gives me a log file of
> everyone who's obtained the consumer key and secret for Ed's Wonderful
> Desktop App, so when someone fires up a debugger, runs my app, grabs
> all the authentication codes and uses them to do a DOS attack on
> Twitter and gets my app blacklisted, I'll have a list of people for my
> attorney to call and depose. ;-)
>
> --
> M. Edward (Ed) Borasky
> http://borasky-research.net/smart-at-znmeb
>
> "A mathematician is a device for turning coffee into theorems." ~ Paul
> Erdős
>

Re: [twitter-dev] Re: Using OAuth keys in an open source application

[ryan alford]

Agreed.

The reason you don't want to give out YOUR consumer key and consumer secret
in your open-source code is because somebody could download your code, make
malicious changes to make it do something bad, and now their app looks
exactly like yours to Twitter since the consumer keys are the same.  So when
that app starts causing problems for users, it YOU that they start
contacting.

Ryan

On Mon, Jan 18, 2010 at 2:32 PM, John Meyer  wrote:

> On 1/18/2010 12:22 PM, ryan alford wrote:
>
>> There is a difference between giving your application to others to
>> install and use, and others downloading your code for their own
>> applications.
>>
>> If a user is installing your application to use, then your code would
>> include your consumer key.
>>
>> If a user is downloading your open source code to use for their own app,
>> then they need to get their own consumer key to relate to their app.
>>
>> Ryan
>>
>>
>
> An addendum.
>
> If you were seriously concerned about others grabbing those codes you could
> specify that the app fetches those keys from an ftp server or some sort of
> web service that you ran.  But I would guess that this would be a bit more
> paranoid than what you are trying to prevent.
>

Re: [twitter-dev] Re: Using OAuth keys in an open source application

[ryan alford]

There is a difference between giving your application to others to install
and use, and others downloading your code for their own applications.

If a user is installing your application to use, then your code would
include your consumer key.

If a user is downloading your open source code to use for their own app,
then they need to get their own consumer key to relate to their app.

Ryan

Sent from my DROID

On Jan 18, 2010 2:18 PM, "M. Edward (Ed) Borasky"  wrote:

OK ... let me make *sure* I understand this. Is this the "best
practice?":

1. I write a desktop application. Whether it's closed or open source
is irrelevant. I advertise this application for sale, saying, "It runs
on Windows, Macintosh and Linux desktops (KDE, Gnome, XFCE, let's
say), it does all these wonderful things, *and* it's oAuth-secure!"

2. I *sell* Bob a copy of my application. It contains code but *no*
oAuth tokens of any kind.

3. Bob installs the application. Bob starts up the application.

4. The application starts up the browser and points it to
http://twitter.com/apps/new, and directs Bob to do the following:
   4.a. Log in to Twitter.
   4.b. Fill in the form. I tried this with a dummy application, and
the Application Name must be *unique*. So what does Bob put in this
field? "Bob's copy of Ed's wonderful application?"
   4.c. Now Bob has a consumer key and consumer secret, unique to
*his* copy of the application, *not* generic to the application.

5. The application instructs him to enter the freshly-minted consumer
key and secret via copy and paste into a dialog box, checks them for
validity against the Twitter oAuth servers, and then stores them
someplace that an attacker can't find them. This is, of course,
platform dependent - the application needs special code for Windows,
Mac, and at least two Linux desktops. See
http://apiwiki.twitter.com/Security-Best-Practices
for the application's responsibilities in this area.

6. OK, now Bob has "registered the application with Twitter". He
actually wants to use it now. The application starts up, picks up the
stored consumer key and secret, starts up the browser again, and goes
to the PIN-generation site. If Bob hasn't logged in to Twitter yet,
that site will ask him to do so. Bob gets his PIN and copies it into a
dialog box. The application does its thing, and Bob tweets about how
wonderful it is that he can do all this stuff with Ed's wonderful
application. I sell 3,000 copies of it, hire a support engineer, and
make the front page of Mashable! ;-) But there's two ways I can go
with this:
  6.a. Grant Bob indefinite permission by getting the PIN once and
storing the resulting tokens on his machine, again "someplace that an
attacker can't find them."
  6.b. Require Bob to get a new PIN each time he uses the
application.

What's the "best practice" here? Personally, I'm leaning towards a new
PIN each time as long as it isn't an impact to Twitter servers,
because it exposes one less place for an attack.

--
M. Edward (Ed) Borasky
http://borasky-research.net/smart-at-znmeb

"A mathematician is a device for turning coffee into theorems." ~ Paul
Erdős

Re: [twitter-dev] Using OAuth keys in an open source application

[ryan alford]

You are reading it correct.

You do not want to give out your Consumer Key or Consumer Secret.  If
somebody downloads the source of your application, they are most likely
going to be using it in their own application.  Therefore, they need their
own Consumer Key and Consumer Secret.

Ryan

On Mon, Jan 18, 2010 at 12:56 PM, Isaiah  wrote:

>
> So you're saying that each individual end-user of the open source app would
> register with Twitter for separate Twitter Application credentials, add
> those credentials to the app, and then recompile the application?
>
> Or did I read that incorrectly?
>
> Isaiah
>
> YourHead Software
> supp...@yourhead.com
> http://www.yourhead.com
>
>
>
> On Jan 18, 2010, at 9:46 AM, Raffi Krikorian wrote:
>
> that's precisely what i would do - author your code to read from a
> configuration file that contains the keys.  don't distribute that
> configuration file, but, instead, distribute a README or an example
> configuration file that the end user would fill in.
>
> On Mon, Jan 18, 2010 at 9:43 AM, John Meyer wrote:
>
>> On 1/18/2010 1:19 AM, Ryan McCue wrote:
>>
>>> Hey guys,
>>>
>>> I'm looking to integrate Twitter posting into an application I'm
>>> developing. The catch to this is that because it's open source, and
>>> programmed in PHP, I'd have to distribute the secret key with it.
>>>
>>> What's the best way to go about this? I've fallen back onto the
>>> ordinary basic auth API for now.
>>>
>>> Thanks,
>>> Ryan.
>>>
>>
>>
>> Technically, you don't.  All opensource requires is that you distribute
>> the source code, not the individual data.  So you could specify that the
>> secret key is in a particular file and then other users could insert their
>> own secret key.
>>
>>
>
>
> --
> Raffi Krikorian
> Twitter Platform Team
> http://twitter.com/raffi
>
>
>

Re: [twitter-dev] Re: OAuth best practice

[ryan alford]

Native mobile apps(native Android, native IPhone, etc., meaning they run on
the device itself and NOT in the browser) are considered Desktop apps.

Yes, the mobile UX is one of the biggest issues with Twitter's OAuth
implementation.

Ryan

On Mon, Jan 18, 2010 at 11:35 AM, Jeff Enderwick
wrote:

> Is a mobile app more like a desktop app or a web app? The PIN in the
> 'desktop' flow handles this in the 'non-desktop' flow:
>
> Once Jane approves the request, Faji marks the Request Token as
> User-authorized by Jane. Jane’s browser is redirected back to Beppa, to the
> URL previously provided http://beppa.com/order together with the Request
> Token. This allows Beppa to know it can now continue to fetch Jane’s photos.
>
> With desktop (and possibly unanticipated) mobile apps, there isn't that
> redirect back. I'm all for whatever makes the best UX for oath+mobile.
>
> On Mon, Jan 18, 2010 at 6:20 AM, ryan alford wrote:
>
>> You are correct.  The PIN handshaking is only for "Desktop Apps".
>>
>> Ryan
>>
>>
>> On Mon, Jan 18, 2010 at 9:12 AM, eco_bach  wrote:
>>
>>> Jeff, I might be wrong, as there seems to be some confusion on this,
>>> but I believe the extra PIN handshaking is ONLY required for what
>>> Twitter defines as 'Desktop Apps'.
>>> See the response to my questions here
>>> http://bit.ly/5xbydH
>>>
>>> As a newcomer to OAuth and the Twitter API I'm currently muddling thru
>>> the whole proxy requirements(I'm using actionscript)
>>>
>>
>>
>

Re: [twitter-dev] Re: Basic Auth Deprecation in June

[ryan alford]

yes, it's official.  The depreciation of Basic Auth will "start" in June.

Ryan

On Mon, Jan 18, 2010 at 10:57 AM, Hwee-Boon Yar  wrote:

> Thanks. Hope it's not official. I don't remember reading anything like
> that on the 2 lists.
>
> --
> Hwee-Boon
>
> On Jan 18, 7:01 pm, Rich  wrote:
> > Ryan Sarver said it last last yearhttp://
> twitter.com/Scobleizer/status/6493268213
> >
> > On Jan 17, 4:46 am, Hwee-Boon Yar  wrote:
> >
> >
> >
> > > On Jan 14, 8:30 am, twittme_mobi  wrote:
> >
> > > > Hello ,
> >
> > > > Regarding Basic Auth Deprecation is June
> >
> > > Any where this is announced?
> >
> > > --
> > > Hwee-Boon
>

Re: [twitter-dev] Re: OAuth best practice

[ryan alford]

You are correct.  The PIN handshaking is only for "Desktop Apps".

Ryan

On Mon, Jan 18, 2010 at 9:12 AM, eco_bach  wrote:

> Jeff, I might be wrong, as there seems to be some confusion on this,
> but I believe the extra PIN handshaking is ONLY required for what
> Twitter defines as 'Desktop Apps'.
> See the response to my questions here
> http://bit.ly/5xbydH
>
> As a newcomer to OAuth and the Twitter API I'm currently muddling thru
> the whole proxy requirements(I'm using actionscript)
>

Re: [twitter-dev] Sign in with Twitter, PIN authentication and Desktop Clients

[ryan alford]

1. Desktop applications are those that are installed or ran from a PC
/Mac/Linux or on a mobile device.  They are outside of the browser.

2. One is used for web applications, the other is for desktop applications.

3.  You are correct.  PIN workflow is only for desktop applications.

Ryan

Sent from my DROID

On Jan 17, 2010 5:00 PM, "eco_bach"  wrote:

Hi
Building an AS3 based  web application using OAuth.
So far I've coded a demo that successfully obtains a request token,
redirects the user to the oauth url, and, on successful login
redirects the user back to the previously supplied consumer-
application URL.
However somewhat confused by several things.

1)Definition of Desktop Clients
http://apiwiki.twitter.com/Authentication
Is a desktop client any web based application? or does it specifically
refer to any application OUTSIDE of the browser (ie AIR based)?

2) SignIn with Twitter
Can someone explain the difference between 'oauth/authorize' and
'oauth/authenticate' urls?
What is meant by 'normal flow' (2nd paragraph) here
http://apiwiki.twitter.com/Sign-in-with-Twitter

3) PIN handshake
My assumption is that the extra PIN handshake is ONLY necessary for
what I understand to be desktop clients (ie #1 above)
So 'Sign in with Twitter' for a web-based application shouldn't
require the extra PIN handshake.
Am I correct?

Thanks for any feedback on the above!

Re: [twitter-dev] authenticity_token same as access token?

[ryan alford]

Trying to screen_scrape?

I don't believe they are the same.

Ryan

Sent from my DROID

On Jan 17, 2010 5:20 PM, "eco_bach"  wrote:

Hi
Can someone confirm or deny whether the authenticity_token returned is
the same as 'access_token' referred to in the documentation?

Thanks in advance!

Re: [twitter-dev] Re: Failed to validate oauth signature and token

[ryan alford]

Yeah, the Nonce needs to be a unique value.  If your language can create
GUIDs, that might be the best option.

Ryan

On Sat, Jan 16, 2010 at 11:11 PM, eco_bach  wrote:

> solved, apparently my oauth_nonce value was incorrect, I assumed it
> was simply a random string and I didn't use the mx.utils.UIDUtil class
> to generate.
> I'll try also switching the order so the signature is at the end.
>

Re: [twitter-dev] List of Common Error messages and possible causes, ie 'Failed to validate oauth signature and token'.

[ryan alford]

Going by your other email, your query string parameters are not in the
correct order.  This is a very important part of OAuth.

Ryan

Sent from my DROID

On Jan 16, 2010 9:48 PM, "eco_bach"  wrote:

Hi
I've read the FAQ, and all the documentation.
Am attempting to get an AS3 client working using OaUth.


I am getting the following error message

'Failed to validate oauth signature and token'.
tried resetting my consumer key, secret, and also checked my system
clock which seems fine.

After a quick search this seems to be a VERY common error message with
many possible causes. Is there a list somewhere of common error
messages such as this with probable causes?

Re: [twitter-dev] Failed to validate oauth signature and token

[ryan alford]

The signature needs to be the very last parameter.  You put all of the
parameters in order except for the signature.  Then you create the signature
and append it to the end of the query string.

Ryan

Sent from my DROID

On Jan 16, 2010 9:48 PM, "eco_bach"  wrote:

Ok
Yes this IS a common error message. I've read most of the posts, the
entire OAuth beginner's documentation, registered my application,
checked for capitalization , checked my system clock.
So far, no luck
As a base library I am using  Sönke Rohde's open source Twitter
library
http://github.com/srohde/Twitter,

though might switch to Tweetr and see if I make better progress.

This is my header

GET /oauth/request_token?
oauth_consumer_key=C4eEz9MqGy28wuCj8hJC4w&oauth_nonce=0020a00%2001&oauth_signature=gX9Uk20RF70D6sxljfvcIK4szr4%3D&oauth_signature_method=HMAC-
SHA1&oauth_timestamp=1263675366 HTTP/1.1

Also , I am testing from the desktop at the moment so needing a proxy
for security sandbox issues isn't a problem.
Can anyone help with troubleshooting?

Re: [twitter-dev] Re: Reinstate 'from app' for Basic Auth desktop apps until OAuth is fixed

[ryan alford]

I agree.  I believe OAuth for mobile and the delegation between apps are the
biggest concerns that need to be addressed before the depreciation of basic
oauth in June.  Both of these have been beaten to a pulp.  However, these
issues certainly do not push OAuth into an unstable beta state that couldn't
be used in production apps.

Ryan

Sent from my DROID

On Jan 13, 2010 5:46 PM, "Tim Haines"  wrote:



On Thu, Jan 14, 2010 at 10:52 AM, ryan alford 
wrote: > > I've been using O...
I've found it just as stable as the rest of the API.  It's not perfect, but
is generally pretty good.  My main concern is that I'd like the mobile pages
to be formatted for mobile devices.

Oh - and the ability to delegate between apps.  Sooo looking forward to
that.

Tim.

Re: [twitter-dev] Re: Reinstate 'from app' for Basic Auth desktop apps until OAuth is fixed

[ryan alford]

I've been using OAuth for more than 3 months now, about 8 hours a day during
the week while at work, using my own library and my own twitter client.
 I've never had an issue with stability.  Now the desktop implementation is
crappy(been posted about 50 billion times), but other than that, I've never
run into issues with OAuth.

Now I don't use search or streaming, though I don't even know if those use
OAuth.

Is there a specific stability issue?

Ryan

On Wed, Jan 13, 2010 at 4:32 PM, Dewald Pretorius  wrote:

> Raffi,
>
> As I have noted before, the reliability of OAuth is an actual concern.
> Also the availability of that easy one-time migration method (getting
> the OAuth stuff when you have the username and password).
>
> Twitter OAuth is still in beta. Ryan said that migration to OAuth will
> become mandatory this year. That cannot be done until you move Twitter
> OAuth into stable production mode. If you do not have the necessary
> confidence in your OAuth implementation to do that, then you cannot
> force anyone to use it.
>
> On Jan 12, 3:01 am, Raffi Krikorian  wrote:
> > > As it stands, developers who have relatively new desktop apps are
> > > penalized by having updates from their app say 'from web'. Older Basic
> > > Auth desktop clients continue to enjoy a link back to the client web
> > > site with a 'from app' link.
> >
> > ...
> >
> > > I understand Twitter is trying to force people to use OAuth, but that
> > > won't happen in a meaningful way until OAuth is reliable, has a truly
> > > usable workflow (PIN method isn't it), and can work well with other
> > > services (Twitpic, yfrog, etc). We aren't there yet.
> >
> > i'm trying to gather use cases around OAuth to help it make sense for
> more
> > people to use it -- as it stands, we are not going to allow the source
> > parameter to be set in new applications unless they come from OAuth.  so,
> > please help me out!
> >
> > is the reliability of OAuth an actual concern?  do you have a suggestion
> as
> > to what you would like to see other than the PIN workflow?  additionally,
> > we're actively working on a "delegation" method for integration with
> other
> > services.
> >
> > --
> > Raffi Krikorian
> > Twitter Platform Teamhttp://twitter.com/raffi
>

Re: [twitter-dev] question about PIN code

[ryan alford]

When you direct the user to oauth/authorize, the user will be presented with
an "Allow"/"Deny" page from Twitter.  If they "Allow", they then will be
given an PIN on the screen.  The user will need to give this PIN to you.

Ryan

On Tue, Jan 12, 2010 at 7:59 PM, dduby  wrote:

> hi,,,
> i am trying to make mobile app for Android.
> For athenticaion, i followed this procedure.
> i got concumer key and secret key,, problem is , i don't know how to
> generate PIN code..
> is there any web site?
> please answer my question.
> The application uses oauth/request_token to obtain a request token
> from twitter.com.
> The application directs the user to oauth/authorize on twitter.com.
> After obtaining approval from the user, a prompt on twitter.com will
> display a 7 digit PIN.
> The user is instructed to copy this PIN and return to the appliction.
> The application will prompt the user to enter the PIN from step 4.
> The application uses the PIN as the value for the oauth_verifier
> parameter in a call to oauth/access_token which will verify the PIN
> and exchange a request_token for an access_token.
> Twitter will return an access_token for the application to generate
> subsequent OAuth signatures.
>

Re: [twitter-dev] Re: Please Help

[ryan alford]

You are don't have the parameters in the proper order.  The signature goes
last.  The rest of the parameters must be in order.  Put the parameters in
order, create the signature, then append the signature to the end or the
query string.

Ryan

Sent from my DROID

On Jan 6, 2010 2:05 AM, "Vikram"  wrote:


This my query string

"https://twitter.com/oauth/request_token?oauth_signature=dIjtVqiRK
%2BnWo5UYRSSs6WWwKII
%3D&oauth_callback=oob&oauth_consumer_key=gUutCG9HjEOT0N8IxvW9w&oauth_nonce=hO3CY2tN7OblsYdp0sOoThPRGEMypcWdM1PM&oauth_signature_method=HMAC-
SHA1&oauth_timestamp=1262716897&oauth_version=1.0a"

Re: [twitter-dev] Please Help

[ryan alford]

Post your query string.  Don't necessarily need to see the code yet, just
need to see the URL that you are requesting.

The error means that your signature is incorrect.

Ryan

On Tue, Jan 5, 2010 at 2:06 PM, Vikram  wrote:

> When I try to get the QAuth Request token I get "Failed to validate
> oauth signature and token" error message from twitter.
>
> What can be the possible reason?
>
> If required I can share my entire code with you people.
>

Re: [twitter-dev] Re: Skipping the PIN based workflow for Desktop clients using OAuth

[ryan alford]

There is really no need to tell the user you are storing them because it
contains no information about them.  The OAuth also tells the user what
previliges they are authorizing your app to have.

And normally, users don't care what happens behind the scenes as long as it
works.

Sent from my DROID

On Jan 4, 2010 1:55 AM, "M. Edward (Ed) Borasky"  wrote:

On Jan 3, 7:39 am, ryan alford  wrote:

> In the Desktop workflow, you don't have to enter the PIN every time.  The
> user is NOT required t...
Yes ... but you should inform the user that you are storing these
tokens on their behalf, and you should inform the user what privileges
they have granted you application. In my case, it's not a big
inconvenience for the user to go through the oAuth process every time
the app runs, so I don't do it. And I think there are some things that
aren't obvious about security and privacy when you just point your
browser to the "allow/deny" decision page. My users tend not to
believe in "magic" and tend to want to know what can possibly go
wrong. ;-)

I'm in the process of writing my own wrapper text for the oAuth
process. Once that's done, I'll add the code to save the tokens.

Re: [twitter-dev] Removing Registered Application

[ryan alford]

You can revoke access from the Connections tab in the Settings on the web
site.

Ryan

Sent from my DROID

On Jan 3, 2010 7:56 PM, "Greg"  wrote:

Is it possible to remove a application that you registered? Like
delete it from your list?

Re: [twitter-dev] Re: Skipping the PIN based workflow for Desktop clients using OAuth

[ryan alford]

In the Desktop workflow, you don't have to enter the PIN every time.  The
user is NOT required to authorize your application every time they want to
use it.After the first authorization, YOU store the access token and
access token secret either in a database, file, or some other type of
storage mechanism.  You use those stored values until they expire(which
could be never).

Ryan

On Sun, Jan 3, 2010 at 9:44 AM, Vikram  wrote:

>
> @Duane Roelands I am working on desktop app,but the fact that I need a
> PIN for trading my request tokens for OAuth Access tokens made me look
> at PHP route. My idea was to use PHP get the access tokens and then
> use them in my desktop app. The rationale behind this was that I
> didn't want user to be entering PIN every time. With PHP I could use
> the callback URL for automatically getting the access tokens.
>
> @srikanth reddy Srikanth how can I make the PIN entering a one time
> process. If I save the access tokens will I be able to use them in the
> next instance of my App??
>

Re: [twitter-dev] Re: Request without oauth

[ryan alford]

Twitter is going to be making changes to OAuth to where the user can give
you their credentials, and you can use those to get an Access Token.  This
is an option to bypass the "PIN" workflow.


On Thu, Dec 10, 2009 at 10:03 AM, Fauzil Hamdi  wrote:

> some body please
>
> 2009/12/10 Fauzil Hamdi 
>
>>
>> can i request my mobile application without oauth ?
>>
>> my users run away because aouth is not friendly with mobile.
>>
>
>

Re: [twitter-dev] Re: A New API For Browserless Apps?

[ryan alford]

I was thinking the same.


On Thu, Dec 10, 2009 at 9:33 AM, John Meyer  wrote:

> On 12/10/2009 6:22 AM, Raffi Krikorian wrote:
>
>> we're not making any fundamental changes to oauth - your apps should
>> continue to work fine.
>>
>> the changes that we are making involve implementing
>>
>> http://tools.ietf.org/html/draft-dehora-farrell-oauth-accesstoken-creds-00#section-4
>> .
>>  this will allow applications to obtain oauth tokens for a user given
>> the user's username / password.
>>
>>
>>
>
>
> okay, forgive me if I'm wrong, but wasn't the whole point of oAuth that the
> application didn't need to know the username/password?  That the user would
> grant access to the application and then the application would store that
> rather than the actual username/password.  Or am I missing the point of
> going to an oAuth system?
>

Re: [twitter-dev] Re: What Is The Status of Twitter OAuth?

[ryan alford]

I never knew that asking questions would be considered "whining".

Twitter has never officially stated that OAuth is in "production" like they
announce other features (like Lists).  Now they seem to be telling
developers to start moving to OAuth.

You state to "don't" use it.  It doesn't look like we will have much of a
choice soon.  Twitter is recommending third-parties move to OAuth.  Looks
like it won't be long before basic auth is depreciated.


On Tue, Dec 1, 2009 at 10:17 AM, Duane Roelands wrote:

> Use it or don't, and own your decision.  It works.  It's stable.  It's
> more secure than Basic Auth.  It's what Twitter wants you to use.
> What's the problem here?
>
> So tired of OAuth whining.
>
> > If Twitter OAuth is stable enough for Twitter to recommend that that
> > all third-party applications connect through OAuth connection, then
> > move it out of beta and into production mode, and announce it as such.
> > If not, then don't make that recommendation.
>

Re: [twitter-dev] What Is The Status of Twitter OAuth?

[ryan alford]

He's not referring to OAuth the specification.  He is referring to Twitter's
implementation of it.

Ryan

On Mon, Nov 30, 2009 at 1:54 PM, Chris Babcock wrote:

> On Mon, 30 Nov 2009 10:27:24 -0800 (PST)
> Dewald Pretorius  wrote:
>
> > Last information I've seen said that Twitter OAuth is in public beta,
> > if I remember correctly.
> >
> > Has that status changed, as in, has OAuth been moved out of beta and
> > into production?
>
> This doesn't look beta to me:
> http://oauth.net/core/1.0a
>
> A is a revision code, not alpha.
>
> Chris
>
>

Re: [twitter-dev] oauth Process flow and status Part 1

[ryan alford]

The signature has to go last.  That's one mistake that most people make.
 You are suppose to put the parameters in order EXCEPT the signature
parameter.  The signature parameter is created by using the other
parameters, then it's appended to the end of the query string.

The OAuth signature is generated.

I made a blog post where I tried to explain it a little better than the
documentation does.  It's for .Net for the desktop, but the process is the
same for any language, and only slightly different for web applications.

http://eclipsed4utoo.com/blog/net-twitter-desktop-oauth-authentication/


On Tue, Nov 24, 2009 at 3:12 PM, abruton  wrote:

> Hi All
>
> I am trying to get my head around the Twitter oauth flow.
>
> The twitter documentation links to oauth.net for parameters, but these
> are general and not well documented.
>
> Is the first step to use http://twitter.com/oauth/request_token ?
>
> 1. I created the following URL:
>
> http://twitter.com/oauth/request_token?oauth_consumer_key=3Uu...1HA&oauth_signature=Diz...cnI&oauth_timestamp=1259100056&oauth_nonce=120092402256OY2H6DC7VT053U3HI69HA861&oauth_version=1.0
>
> When I put this in a browser to test it, I get the following error:
>
> Failed to validate oauth signature and token
>
> 1. What is wrong with the string?
>   - Is the oauth_signature just your Consumer secret string?
>   - Do I have to use oauth_signature_method and what method do I use.
> If it is sha1, what string do I hash? The whole URL?
>
> Do I POST the data to http://twitter.com/oauth/request_token or GET or
> what?
>
> Best regards
>
> Andre F Bruton
>

Re: [twitter-dev] Authentication (user/pass )after Oauth authentication.....:S

[ryan alford]

After you get the pin, what URL do you go to?

On Nov 23, 2009 7:50 AM, "dmsiva"  wrote:

hello. I make well oauth authentication. I put the pin, and I get the
access_token, etc.. but when I request a 'get' the browser asks me
another authentication (username, password). what can I be doing
wrong? After the access tokens, what should I send in the next
request?

best regards,

Re: [twitter-dev] Get screen name with OAuth

[ryan alford]

In the query string of the returned response, there is a field called
"screen_name".  That will contain the screen name of the user that
authorized the application.

So when you get "oauth_token" and "oauth_token_secret" from the response,
get "screen_name" also.

Ryan

On Fri, Nov 20, 2009 at 10:51 AM, Raffi Krikorian  wrote:

>
> http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-account%C2%A0verify_credentials
>
>
>  I guess this is a simple call to the API but I am not able to find the
>> right answer, and the twitter gem I am using doesn't seem to provide
>> that functionality, so what I want to know if is there a way I can get
>> the screen_name or Id of an authenticated user via oauth using the
>> access token and secret?
>>
>>
> --
> Raffi Krikorian
> Twitter Platform Team
> ra...@twitter.com | @raffi
>
>
>
>
>