How Does TwittPic Works ?

46 views
Skip to first unread message

Feras Allaou

unread,
Feb 2, 2010, 10:04:35 AM2/2/10
to Twitter Development Talk
Dear Sirs,

I was trying to do oAuth to use Twitter API but I was surprised that
TwitPic doesn't use this Authentication method ! so How could TwitPic
publish it's name when it updates the status ?
I mean if I use simple Auth method the message will be sent using API
which means Twitter API.
but When I was OAuth the sending method will be my Twitter Client ,
right ?
So how does TwitPic sending method is TwitPic & they don't use Oauth ?


Regards,
Feras Allaou

Josh Roesslein

unread,
Feb 2, 2010, 1:28:57 PM2/2/10
to twitter-deve...@googlegroups.com
They where grandfathered in. Any applications prior to OAuth are still allowed to set the source
via basic auth until June when basic auth is planned to be shutdown. All new applications may only
set the source parameter via OAuth.

Lukas Müller

unread,
Feb 2, 2010, 12:45:53 PM2/2/10
to twitter-deve...@googlegroups.com
Only old apps can do this. New apps cannot use it.

Pedro Junior

unread,
Feb 2, 2010, 9:41:18 PM2/2/10
to twitter-development-talk
Seesmic Look is old?

-
Pedro Junior


2010/2/2 Lukas Müller <webm...@muellerlukas.de>

Dewald Pretorius

unread,
Feb 2, 2010, 10:18:22 PM2/2/10
to Twitter Development Talk
At first I thought they must have changed the old Seesmic source to
Seesmic Look.

But no.

Here's a recent tweet from Seesmic:
http://twitter.com/CathyBrooks/status/8570217879

And here's a recent one from Seesmic Look:
http://twitter.com/adamse/status/8565271563

Seesmic Look uses Basic Auth.

Does anyone else spot Mt Everest on this level playing field of ours?

On Feb 2, 10:41 pm, Pedro Junior <v.ju.ni.o...@gmail.com> wrote:
> *Seesmic Look is old?
> *
> -
> Pedro Junior
>
> 2010/2/2 Lukas Müller <webmas...@muellerlukas.de>

Dewald Pretorius

unread,
Feb 2, 2010, 11:09:31 PM2/2/10
to Twitter Development Talk
Raffi,

What's going on here?

Your credibility is at stake here. You've been telling us in many
posts that new apps must use OAuth to get a source attribution, and
only old grandfathered apps have source attribution with Basic Auth.

Raffi Krikorian

unread,
Feb 3, 2010, 2:02:38 PM2/3/10
to twitter-deve...@googlegroups.com
seesmic look, i believe, is using oauth talking to api.twitter.com.
--
Raffi Krikorian
Twitter Platform Team
http://twitter.com/raffi

Dewald Pretorius

unread,
Feb 3, 2010, 2:43:40 PM2/3/10
to Twitter Development Talk
Raffi,

Have you tried it? There is no OAuth flow. I.e., the user types in his
Twitter username and password. That's it.

If it is indeed using OAuth, does that mean that the background
requesting of tokens when you have the Twitter credentials is now
available? Meaning, I can also now use it to convert all existing
Twitter accounts to OAuth in one fell swoop?

Raffi Krikorian

unread,
Feb 3, 2010, 2:49:42 PM2/3/10
to twitter-deve...@googlegroups.com
it will be available publicly soon!

Dewald Pretorius

unread,
Feb 3, 2010, 3:40:35 PM2/3/10
to Twitter Development Talk
Thanks!

I installed Seesmic Look, but never thought of checking the
Connections tab in Twitter.

Crow does not taste all that bad with a thick layer of mustard and
spices.

Ted Nyman

unread,
Feb 3, 2010, 2:52:22 PM2/3/10
to twitter-deve...@googlegroups.com
That is definitely good news, thanks for the update.

-Ted

On Wed, Feb 3, 2010 at 11:49 AM, Raffi Krikorian <ra...@twitter.com> wrote:
it will be available publicly soon!


On Wed, Feb 3, 2010 at 11:43 AM, Dewald Pretorius <dpr...@gmail.com> wrote:
Raffi,

Have you tried it? There is no OAuth flow. I.e., the user types in his
Twitter username and password. That's it.

If it is indeed using OAuth, does that mean that the background
requesting of tokens when you have the Twitter credentials is now
available? Meaning, I can also now use it to convert all existing
Twitter accounts to OAuth in one fell swoop?

On Feb 3, 3:02 pm, Raffi Krikorian <ra...@twitter.com> wrote:
> seesmic look, i believe, is using oauth talking to api.twitter.com.
>
>



Cameron Kaiser

unread,
Feb 3, 2010, 4:58:14 PM2/3/10
to twitter-deve...@googlegroups.com
> > If it is indeed using OAuth, does that mean that the background
> > requesting of tokens when you have the Twitter credentials is now
> > available? Meaning, I can also now use it to convert all existing
> > Twitter accounts to OAuth in one fell swoop?
>
> it will be available publicly soon!

Excellent!

--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com
-- Two rules for ultimate life satisfaction: 1) Don't tell people everything. -

Nik Fletcher

unread,
Feb 4, 2010, 10:09:51 AM2/4/10
to Twitter Development Talk
Hi Raffi

This is great news. We're currently using OAuth in Socialite on OS X
[and I believe we're one of the few OAuth apps out there on the Mac].
How will the migration process go for existing desktop apps that are
using OAuth and want to switch to this far better implementation?

Thanks

Nik

--
Nik Fletcher
Support & QA Manager, Realmac Software

Raffi Krikorian

unread,
Feb 4, 2010, 12:19:59 PM2/4/10
to twitter-deve...@googlegroups.com
hi nik.

i'm not entirely certain yet.  i'm working on a blog post that will hopefully outline what our plans with oauth is moving forward -- being sick just threw a damper in getting it out :P

Zac Bowling

unread,
Feb 4, 2010, 3:21:53 PM2/4/10
to twitter-deve...@googlegroups.com
Yes, what magic is this?

I'm confused. It takes username and password but then uses OAuth?

I wonder if they are injecting the username/password into the OAuth form on the page.

Twitter should really randomize that page or require captcha or something.

Zac Bowling

Dewald Pretorius

unread,
Feb 4, 2010, 5:24:40 PM2/4/10
to Twitter Development Talk
Zach,

There's a soon to be published API method where you can silently get
the OAuth tokens when you have the account's Twitter username and
password, meaning the user does not experience any of the normal OAuth
flow.

I presume that Seesmic just got early access to that method.

So, in this case, user-to-app requires Basic Auth credentials, but app-
to-Twitter uses OAuth once the app has obtained the tokens with the
new method.

Abraham Williams

unread,
Feb 4, 2010, 5:35:50 PM2/4/10
to twitter-deve...@googlegroups.com
I poked around Seesmic Look a little and this is what I found: http://the.hackerconundrum.com/2010/02/sneak-peek-at-twitters-browserless.html

Abraham
--
Abraham Williams | Community Advocate | http://abrah.am
Project | Out Loud | http://outloud.labs.poseurtech.com
This email is: [ ] shareable [x] ask first [ ] private.
Sent from Seattle, WA, United States

Dewald Pretorius

unread,
Feb 4, 2010, 5:44:39 PM2/4/10
to Twitter Development Talk
Interesting, Abraham.

Don't we ever need OAuth Wrap, otherwise that x-auth-password will be
sent in clear text, kind of making a mockery of the whole OAuth thing.

On Feb 4, 6:35 pm, Abraham Williams <4bra...@gmail.com> wrote:
> I poked around Seesmic Look a little and this is what I found:http://the.hackerconundrum.com/2010/02/sneak-peek-at-twitters-browser...

Abraham Williams

unread,
Feb 4, 2010, 6:23:25 PM2/4/10
to twitter-deve...@googlegroups.com
I would imagine that Twitter will require SSL for xAuth calls.

Abraham

Raffi Krikorian

unread,
Feb 4, 2010, 6:26:58 PM2/4/10
to twitter-deve...@googlegroups.com
totally.

Greg

unread,
Feb 4, 2010, 6:41:24 PM2/4/10
to Twitter Development Talk
However - will we ever see the ability for 3rd party applications to
talk to eachother using oAuth tokens? For example a custom twitter
oAuth application using TwitPic to publish photos?

Sean Callahan

unread,
Feb 4, 2010, 7:01:11 PM2/4/10
to Twitter Development Talk
TweetPhoto offers an OAuth solution for uploading photos.

Please check out the link below and let me know if you have any
questions.

http://groups.google.com/group/tweetphoto/web/oauth-signin

Thanks!

Sean

Raffi Krikorian

unread,
Feb 4, 2010, 9:33:21 PM2/4/10
to twitter-deve...@googlegroups.com
i'll be posting our proposal for "oauth delegation" soon as a RFC.

Pedro Junior

unread,
Feb 4, 2010, 10:37:58 AM2/4/10
to twitter-deve...@googlegroups.com
Great news!
Thanks!

-
Pedro Junior


2010/2/4 Nik Fletcher <nik.fl...@gmail.com>

isaiah

unread,
Feb 4, 2010, 11:57:42 AM2/4/10
to Twitter Development Talk

Oh wow, oh wow, oh wow!

isaiah

unread,
Feb 4, 2010, 12:05:56 PM2/4/10
to Twitter Development Talk
oh wow!
how do i get in on this sweet UX goodness?

is there a form for submitting bribes or is it in-person only?

isaiah

On Feb 3, 11:49 am, Raffi Krikorian <ra...@twitter.com> wrote:

BJ Weschke

unread,
Feb 4, 2010, 3:23:25 PM2/4/10
to twitter-deve...@googlegroups.com
They do. They already generate a form authenticity token that you have
to submit back with the other relevant form data in order for your
submission to be authentic.

Zac Bowling wrote:
> Yes, what magic is this?
>
> I'm confused. It takes username and password but then uses OAuth?
>
> I wonder if they are injecting the username/password into the OAuth
> form on the page.
>
> Twitter should really randomize that page or require captcha or
> something.
>
> Zac Bowling
>
>
>
> On Wed, Feb 3, 2010 at 11:43 AM, Dewald Pretorius <dpr...@gmail.com
> <mailto:dpr...@gmail.com>> wrote:
>
> Raffi,
>
> Have you tried it? There is no OAuth flow. I.e., the user types in his
> Twitter username and password. That's it.
>
> If it is indeed using OAuth, does that mean that the background
> requesting of tokens when you have the Twitter credentials is now
> available? Meaning, I can also now use it to convert all existing
> Twitter accounts to OAuth in one fell swoop?
>
> On Feb 3, 3:02 pm, Raffi Krikorian <ra...@twitter.com

> <mailto:ra...@twitter.com>> wrote:
> > seesmic look, i believe, is using oauth talking to

> api.twitter.com <http://api.twitter.com>.


> >
> >
> >
> > On Tue, Feb 2, 2010 at 8:09 PM, Dewald Pretorius
> <dpr...@gmail.com <mailto:dpr...@gmail.com>> wrote:
> > > Raffi,
> >
> > > What's going on here?
> >
> > > Your credibility is at stake here. You've been telling us in many
> > > posts that new apps must use OAuth to get a source
> attribution, and
> > > only old grandfathered apps have source attribution with Basic
> Auth.
> >
> > > On Feb 2, 11:18 pm, Dewald Pretorius <dpr...@gmail.com

> <mailto:dpr...@gmail.com>> wrote:
> > > > At first I thought they must have changed the old Seesmic
> source to
> > > > Seesmic Look.
> >
> > > > But no.
> >
> > > > Here's a recent tweet from Seesmic:
> > >http://twitter.com/CathyBrooks/status/8570217879
> >
> > > > And here's a recent one from Seesmic Look:
> > >http://twitter.com/adamse/status/8565271563
> >
> > > > Seesmic Look uses Basic Auth.
> >
> > > > Does anyone else spot Mt Everest on this level playing field
> of ours?
> >
> > > > On Feb 2, 10:41 pm, Pedro Junior <v.ju.ni.o...@gmail.com

> <mailto:v.ju.ni.o...@gmail.com>> wrote:
> >
> > > > > *Seesmic Look is old?
> > > > > *
> > > > > -
> > > > > Pedro Junior
> >

> > > > > 2010/2/2 Lukas M�ller <webmas...@muellerlukas.de
> <mailto:webmas...@muellerlukas.de>>


> >
> > > > > > Only old apps can do this. New apps cannot use it.
> >
> > --
> > Raffi Krikorian
> > Twitter Platform Teamhttp://twitter.com/raffi

> <http://twitter.com/raffi>
>
>

Michael Steuer

unread,
Feb 5, 2010, 12:07:36 AM2/5/10
to twitter-deve...@googlegroups.com, twitter-deve...@googlegroups.com
That's awesome. Please let us know when you do!

Michael. 


Nik Fletcher

unread,
Feb 5, 2010, 4:35:10 AM2/5/10
to Twitter Development Talk
Hi Raffi

No worries - hope you're feeling better soon! If we can be of any help
with getting this out the door, please let me know!

Cheers

-N

--
twitter.com/nikf

Aral Balkan

unread,
Feb 5, 2010, 6:46:31 AM2/5/10
to Twitter Development Talk
This is awesome news. Kudos to your pragmatic approach with xAuth and
looking forward to your recursive delegation plans. Blogged it here:
http://aralbalkan.com/3057

I hope the UX community supports Twitter in this.

Aral

raffi

unread,
Feb 9, 2010, 6:08:14 PM2/9/10
to Twitter Development Talk
hi - i'm still a bit behind, but i've posted a sample workflow of how
identity delegation may work in oauth - this is definitely a RFC, so
please feel free to comment.

http://mehack.com/a-proposal-for-delegation-in-oauth-identity-v

Jesse Stay

unread,
Feb 10, 2010, 2:26:29 AM2/10/10
to twitter-deve...@googlegroups.com
So am I understanding this correctly that this means TwitPic won't have to ask for the user's Twitter username and Password any more and will instead be able to use OAuth and still provide an API to their users?  I'm trying to figure out if this is encouraging the use of the username and password or discouraging it.

Raffi Krikorian

unread,
Feb 10, 2010, 11:41:59 AM2/10/10
to twitter-deve...@googlegroups.com
twitpic will not have to ask for usernames and passwords anymore, nor will users have to actually authorize twitpic (as twitpic is not doing anything on their behalf -- it is just confirming their identity).

i think this is a "good thing".
Reply all
Reply to author
Forward
0 new messages