OAuth newbie question

1 view
Skip to first unread message

IDOLpeeps

unread,
Mar 6, 2010, 4:06:32 PM3/6/10
to Twitter Development Talk
What do you do once you get the oauth_token and oauth_token_secret?

Do the token and secret get passed along with the rest of the API call
as posted parameters?

Can someone please provide an example of how to form a CURL request in
php using the token and secret? I can not find documentation anywhere
that explicitly explains what to do once the token and secret are
obtained. All the documentation I can find provides for use for
somebody else's php wrapper. I don't want to use a third party
wrapper.

Thank you.

Raffi Krikorian

unread,
Mar 6, 2010, 5:43:16 PM3/6/10
to twitter-deve...@googlegroups.com
i'm not fluent enough in PHP to provide guidance, however, i must ask, what's the aversion to using a 3rd party wrapper?  

there are nuances involved in oauth signature generation (search this forum looking for signature base strings, problems with quotes, etc.), and why not save yourself that pain, accelerate yourself over that learning curve, and use a library that is tried in true?
--
Raffi Krikorian
Twitter Platform Team
http://twitter.com/raffi

IDOLpeeps

unread,
Mar 6, 2010, 5:55:56 PM3/6/10
to Twitter Development Talk
I've overcome the nuances of generating the oauth signature. It
shocks me that the API documentation provides no clear indication of
how to send the tokens along with an API call. It's not even a PHP-
specific question. Simply put: Where do the "oauth_token" and
"oauth_token_secret" get embedded in API call: As posted parameters?
If so, with what parameter names? Can anybody provide guidance? I
have seen many people ask this question, yet see no answer.

As far as why one would want to use their own library vs. somebody
else's, that's a question for the ages. One specific answer is that
many of us have created our own application-specific libraries that
accommodate traditional http authentication and we'd like to keep our
libraries when we add Oauth. To do so, it's best to have an answer to
this question.

Thank you.

Raffi Krikorian

unread,
Mar 6, 2010, 6:07:02 PM3/6/10
to twitter-deve...@googlegroups.com
i suggest reading http://oauth.net/core/1.0a/ and looking at http://hueniverse.com/oauth/ for OAuth guidance.

Ryan Alford

unread,
Mar 6, 2010, 6:07:33 PM3/6/10
to twitter-deve...@googlegroups.com
The token is a posted parameter.  The secret is part of the key for the signature.

Ryan

Taylor Singletary

unread,
Mar 7, 2010, 6:53:05 PM3/7/10
to Twitter Development Talk
A lot of people have found my presentation on OAuth useful when trying
to learn the ins and outs of the entire request cycle with an OAuth-
protected API: http://bit.ly/oauth-zero-to-hero

When accessing a protected resource with OAuth, the oauth_token and
oauth_token_secret you receive become your "access token". You include
oauth_token as an OAuth parameter in your signature base string and
authorization header, and then sign your entire OAuth request with a
composite signing secret:

{url_escaped(consumer_secret)}&{url_escaped(oauth_token_secret)}

Taylor

IDOLpeeps

unread,
Mar 13, 2010, 7:30:27 PM3/13/10
to Twitter Development Talk
Thank you so much Taylor. Can you believe that nowhere in the Twitter
API documentation can I find this crucial, yet very simple
instruction. There are ample pointers to explanations of how to get
OAuth token, but absolutely no instructions I can find for what to do
once you obtain the token key and secret.

I tried very permutation of posting them along with the twitter REST
calls, but the one you suggested of posting the secrets as parameters
without values. This single line instruction needs to be added to the
Twitter API documentation.

BTW: The php equivalent of url_escaped ()is urlencode().

Thanks much.

On Mar 7, 6:53 pm, Taylor Singletary <taylorsinglet...@twitter.com>
wrote:

Reply all
Reply to author
Forward
0 new messages