Twitter OAuth Authentication with TweetSharp
The Twitter API is something that you may have learned to love and hate over the last while, but as of August 16th, you may have to change the way you access it.
Basic Authentication is Going Away
Previously, the easiest way to authenticate a Twitter app was to ask for a user’s credentials and pass them directly to the Twitter API in the Authentication HTTP Header. This is, incidentally, how any site that uses basic authentication behaves. Your credentials are passed in a base64 encoded string in the header on EVERY request. Encoded – not encrypted. So if the site isn’t using SSL (and Twitter doesn’t) you could be exposing credentials to anyone who wants to sniff them.
Twitter has acknowledged this fact, and has provided an OAuth alternative based on an open and accepted standard of token based authentication. Up until now, though, the OAuth standard has not been enforced, since it was more of a development hurdle for folks who just wanted to get their work out there and were willing to accept the risk of sniffed credentials.
The OAuth Authorization and Authentication Process
What do we mean by authorization versus authentication? Authorization is the process by which an end user of your Twitter app (if you haven’t created one of these yet, do it here) will allow it to access their account. This is done in a browser window, and the user, once they’ve clicked “Allow Access” will be presented with a short PIN sequence will they will have to copy and paste or enter manually into your application. Given that PIN, your app will have the ability to create (and store) an OAuth Token and Secret that will allow your app access to that Twitter account until access is denied.
Every request you send to Twitter (either for new status updates or for queries) should have that token provided as a credential. This will mark any status updates with your application’s name and provide a link for other users to go to your application URL.
Here the Step by Step Process for Authorization
- Create a Twitter App
- keep track of your Consumer Key and Secret, you’ll need these
- Generate an unauthorized token
- Generate a authorization and direct your user’s browser to it
- Give your user the opportunity to enter the PIN into your app
- Generate the authorized token and secret
- Persist the token and secret
TweetSharp and other OAuth Libraries
In its own OAuth FAQ, Twitter mentions that you really shouldn’t tackly OAuth with raw HTTP requests (although you can if you want). The fact of the matter is that there are lots of different wrappers written for OAuth itself, which could in theory be used with any standard OAuth provided (Google and Yahoo also use OAuth) as well provider specific wrappers written to give you a high level access to the logical functions of the system you are accessing.
TweetSharp is a very nice .Net API for Twitter, but it’s authors have based it upon another library that they built, the more generic Hammock which they are still actively developing. Apparently nobody has been helping them build TweetSharp, so they are leaving it for the community to work on from now on.
One of the things that TweetSharp makes super simple is the generation of the Tokens and Authorization URL that I outlined above.
First of all, download the TweetSharp API and add a reference in your app to the TweetSharp and TweetSharp.Twitter assemblies.
The follow code snippets are all that you need after that:
using TweetSharp.Model; using TweetSharp.Twitter.Extensions; using TweetSharp.Twitter.Fluent; using TweetSharp.Twitter.Model; using TweetSharp.Twitter.Service; //generate the token and url that will we need OAuthToken unauthorizedToken = service.GetRequestToken(twitterConsumerKey, twitterConsumerSecret); string url = service.GetAuthorizationUrl(unauthorizedToken); //TODO: get the pin from the user //once you have the pin from the user, build your authorized token OAuthToken authToken = service.GetAccessToken(twitterConsumerKey, twitterConsumerSecret, unauthToken, pin); //store the authToken.Token, and the authToken.TokenSecret //make an authenticated call var service = new TwitterService(); service.AuthenticateWith(twitterConsumerKey, twitterConsumerSecret, syndicationService.OAuthToken, syndicationService.OAuthTokenSecret); if (service.Error == null) { TwitterStatus status = service.SendTweet(value); }
TweetSharp also has some nice documentation on this process, and a couple of different methods that you can do it here.
more later – joel