I am building a REST API.
For registering a user, he needs to authenticate on Twitter.
Normally, I would use an Authorization code provided by an OAuth2 server but it seems like Twitter does not implement this type of authorization.
I don't want my mobile app to send the Twitter token to the API to register the user. I see this as a security flaw.
I checked OAuth echo (https://dev.twitter.com/oauth/echo) which seems okay. The user passes the credentials to my API, and my API checks the user against the twitter API. Twitter then returns a user object. It does not return a access token though.
Is it the only way to do this?
Thanks for your help.
Yes you are correct. Using OAuth Echo will use you as the third party for that individual without exposing your Access token/key and Credentials.
Just be aware that you're under a different rate limit from Twitter's API when you're going through that route. In some cases it's an increase in limit while it's a decrease in other.
Related
I am making a widget for my iPhone to fetch data about my Instagram followers. I won't be putting it on the App Store, and I won't be fetching any other users' data.
Can I do this? I have tried to figure out what to do but I think I have to register my website, even though I'm not making a website and this won't be shared with anyone else.
As stated in Instagram Developer Documentation, you will have to register your application before using the API.
1. Register
We'll assign an OAuth client_id and client_secret for each of your
applications.
2. Authenticate
Ask users to authenticate and authorize your application with
Instagram.
3. Start making requests!
Make requests to our API Endpoints with the users' OAuth credentials.
The takeaway here is that you'll need the OAuth credentials to access the API.
Which URL I should user for authentication user in the Twitter?
For example, in the Instagram token for user can be received when user click on the following link
https://api.instagram.com/oauth/authorize/?client_id=XXX&redirect_uri=XXX&response_type=XXX
After this its return token and I can work with user profile.
How to build such link for twitter?
Twitter API has several ways to authorize and it depends on what you want to do for determining which approach to take.
The OAuth2 approach that instagram takes is called application-only in Twitter API. The thing about application-only is that you can only use it on endpoints that aren't associated with a user. e.g. it's great for search, but doesn't work well for tweeting (which is something a user would do).
A couple other approaches are Single User Authorization, which is good if your app only needs one set of credentials. e.g. a server app. Another is Pin Authorization which is a work-around for devices that can't manage Web callbacks. These use OAuth 1.0A.
There are a few other OAuth options, but this was just to give you an idea about the available choices and the need to think about what you want to accomplish and match that with what the Twitter API offers. Here's the Twitter docs for more info:
Authentication and Authorization
I have an application that needs to display number of followers and following (users/show.json) for a random user on a public page (authentication is not required).
With the Twitter API 1.0 it was quite easy as authentication is not needed for the request. With the new Twitter API 1.1 is no more possible, so I need to authenticate the request (via OAuth).
Is it possible only "authenticate" the application and not the user too?
I mean: can I avoid to ask user to login and only authenticate with application key/secret? Or everytime I need to create a token with user credentials too, creating callback, etc.?
Yes, it is possible! If your application doesn't need to do things like post statuses or send direct messages on behalf of a user, you should be able to retrieve all of a user's public information with a single hardcoded set of Twitter OAuth credentials, and not require the user to authenticate.
Login to Twitter and go to the developer dashboard at https://dev.twitter.com/apps
Register a new application; after the application is registered, view the application details. You'll see an "OAuth Tool" tab, where you'll find all the relevant OAuth values for that application: Consumer Key, Consumer Secret, Access Token, and Access Token Secret.
Using these credentials, you'll be able to make requests to the new Twitter API.
If you're not comfortable using the Twitter API directly, there are a number of good API wrappers out there for various languages -- among others, the Temboo SDK, which will give you code snippets for calling various methods (and also gives you a place to securely store your Twitter credentials, so you don't need to bake them into your application).
Take a look at:
UserTimeline
GetFollowersByID
(Full disclosure: I work at Temboo.)
The easiest way to do what you're asking is to use Twitter API 1.1's 'application-only authentication' feature, which works for much of the API. See Application-only authentication. You can see a Python example of it in get_bearer_token.py.
Once you have a bearer token, you only need to include that in your request authorization header - signing is not necessary.
I'm gonna try to explain my problem :
I'd like to allow users to connect to my api via their own accounts (login/password) or via a social network (Facebook at first).
Then, I would allow any application to use my api, with the user authenticated.
My first thought when to auth the user via his/her login/password and return a token used as the session for the next requests.
But OAuth would seems to be the better implementations, except I don't know how to do this :
One of my applications will have to connect via login/password, like twitter web (I have to implement an login/password auth somewhere if I wan't my user to login :p)
Will I also have to register my applications to the oauth system (did twitter added their web app to their oauth ?)
How to merge the auth via others social networks. Concretely, the user will have to OAuth to my api that will auth to the social network.
I'm a bit lost on how to do this, if someone could help me, I would really appreciate !
Thanks
Update 1:
Flickr and Lastfm seems to not use OAuth but an alternative auth system that looks like this :
The user is redirected to Flickr/Lastfm
The user auth himself and accept to use the application
Flickr/Lastfm return to the Callback url with a temporary frob (for flickr) or token (for lastfm)
The app must call the provider with the temporary frob/token (among with the api_key and the api_sig, as always) and get in return the session token to use for the next calls.
Update 2:
In fact, StackApps is the concrete case of my problem : you can login through their login/password system OR openId, and you can use their API.
OAuth is only needed to make others use your API on other services, i.e. authorize services to use your API without users of the intermediary service explicitly having to log in into your service by giving user's login credentials to a third party.
What I think you need is OpenID, the cross-application authentication mechanism. You just need to implement an OpenID client, accepting third-party OpenIDs to authenticate users, to subsequently identify them, when they use your service's API. This would have to be supplemented with a normal 'local' user authentication mechanism (i.e. login/password entry page)
You will need OAuth to provide an ability to use your API on other sites, though.
I just implemented sign in with twitter for my webapp. At the end of the OAuth 3-legged flow, I needed to retrieve the screenname & avatar pic for the user. All I had was the twitterid e.g. 3546735
So I performed a GET http://twitter.com/users/show/3546735.json
No security is required for this method, although it is rate-limited.
Recently I've read about another api method called verify credentials
Why should I call this compared to the simple GET above ?
One use of account/verify_credentials for OAuth is it gets the logged in users profile information without affecting the rate limit.
Update: verify_credentials now counts against the users rate limit.
It's of little use to you since you're already doing OAuth. It would provide the credentials in a single request, which can be easier to implement in some applications. Stick with OAuth if you've already done the work.
I believe the verify credentials approach is being phased out. OAuth seems to be the preferred approach.
I felt the need to reply to this and contribute since I've been working and have struggled with the twitter oauth api.
in short verify credentials returns the authenticating users' profile given their access token and token secret.
the reason for this is because in oauth 1.0a flow; after the user completes authentication, twitter sends an oauth_verifier token to you which is used to exchange request tokens for access and token secrets. At this point you do not know the user but have their credentials(access token and token secret). You can verify credentials to identify the owner of these tokens.